Unauthenticated SQL Injection in Fortinet FortiWeb Fabric Connector

This repository contains a working exploit for CVE-2025-25257, a critical unauthenticated SQL injection vulnerability in Fortinet FortiWeb (versions 7.6.0-7.6.3, 7.4.0-7.4.7, 7.2.0-7.2.10, 7.0.0-7.0.10). The exploit is implemented in a single Python script (CVE-2025-25257.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, and exploitation steps. The exploit leverages a SQL injection in the /api/fabric/device/status endpoint, abusing the Authorization: Bearer header to execute arbitrary SQL. It chains this to achieve remote code execution by writing a shell script webshell to /migadmin/cgi-bin/x.cgi on the target, then uses a secondary payload to set executable permissions. Once deployed, the webshell can be accessed at /cgi-bin/x.cgi, and arbitrary commands can be executed by sending them in the User-Agent header of HTTP requests. The repository is well-structured, with clear separation between exploit code and documentation. The exploit is operational, providing a real webshell payload and demonstrating full compromise of the target system. No detection-only scripts are present; the code is a true exploit with post-exploitation capabilities.

This repository provides a vulnerable simulation of FortiWeb (CVE-2025-25257) for demonstration and testing purposes. The main exploit capability is a SQL injection vulnerability in the /api/system/fabric/config POST endpoint, where the Authorization header is directly concatenated into an SQL query without sanitization. This allows attackers to bypass authentication and extract sensitive data from the SQLite database, such as user credentials and configuration secrets. The repository includes a Dockerfile and docker-compose setup for easy deployment, with Python (Flask) as the main application language. The init_db.py script initializes the database with test data. The payload.txt file contains a simple bash payload, but the main exploit vector is SQL injection, not RCE. The repository is structured for educational use, simulating a real-world FortiWeb vulnerability, and is not a detection script or fake exploit.

This repository contains a Python exploit script (watchtowel.py) and a README.md for CVE-2025-25257, a vulnerability in Fortinet FortiWeb. The exploit leverages a SQL injection vulnerability in the '/api/fabric/device/status' API endpoint to achieve remote code execution. The attack works by injecting SQL commands to create a table, write a Python reverse shell payload in chunks, and then write this payload to a .pth file on the target system. The exploit then triggers the execution of this payload by accessing the '/cgi-bin/ml-draw.py' endpoint, which causes the Python interpreter to execute the malicious .pth file, resulting in a reverse shell connection to a hardcoded IP address and port (192.168.18.1:4444). The script requires the user to specify the target URL and optionally a proxy, and the reverse shell parameters must be manually changed in the code. The repository is operational and provides a working exploit for the vulnerability, with clear instructions and a walkthrough referenced in the README.

This repository provides a fully functional exploit for CVE-2025-25257, a critical unauthenticated SQL injection vulnerability in Fortinet FortiWeb (versions <= 7.0.10, 7.2.10, 7.4.7, 7.6.3). The exploit is implemented in a single Python script (CVE-2025-25257.py) and is accompanied by a detailed README and an SVG diagram illustrating the attack workflow. The exploit works by sending a crafted HTTP request to the vulnerable /api/fabric/device/status endpoint, injecting SQL via the Authorization header. This allows the attacker to write arbitrary files to the server using MySQL's SELECT ... INTO OUTFILE functionality. The script writes a shell webshell to /migadmin/cgi-bin/x.cgi and a Python script to /var/log/lib/python3.10/pylab.py, which is then triggered to set the correct permissions on the webshell and clean up traces. Once deployed, the attacker can execute arbitrary system commands by sending them in the User-Agent header to the webshell URL. The repository is well-structured, with clear documentation, usage instructions, and visual aids. The exploit is operational and provides full remote code execution on vulnerable FortiWeb appliances, requiring only network access to the management interface. No authentication is needed. The code is not part of a framework and is standalone. The only code file is the Python exploit script, which is the main entry point.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-25257, a pre-authentication SQL injection vulnerability in Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x. The exploit targets the /api/fabric/device/status HTTP API endpoint by injecting a malicious SQL payload in the Authorization: Bearer header. The repository contains two PoC scripts: one in Python (src/poc.py) and one in JavaScript (java/poc.js), both of which send a GET request to the vulnerable endpoint with the crafted header. Additionally, there is a detection script (src/detect.py) that scans logs for evidence of this exploit attempt. The README.md provides detailed vulnerability information, usage instructions, and a sample curl command. The exploit demonstrates the vulnerability but does not include weaponized payloads for remote code execution; it is intended for detection and validation of the SQL injection vector.

This repository contains a fully functional exploit for CVE-2025-25257, a critical unauthenticated SQL injection vulnerability in Fortinet FortiWeb's Fabric Connector API. The exploit is implemented in a single Python script (CVE-2025-25257.py) and is accompanied by a detailed README.md explaining the vulnerability and its impact. The exploit works by abusing the /api/fabric/device/status endpoint, which is vulnerable to SQL injection via the Authorization: Bearer header. The script chains SQL injection to write arbitrary files (using MySQL's SELECT ... INTO OUTFILE) to the target's filesystem, specifically deploying a shell script webshell to /migadmin/cgi-bin/x.cgi. It then triggers a chmod operation via another endpoint (/cgi-bin/ml-draw.py) to make the webshell executable. Once deployed, the attacker can execute arbitrary OS commands by sending them in the User-Agent header to the webshell URL. The script supports both single and multiple targets, optional proxying, and provides clear output on exploitation success. The exploit targets FortiWeb versions 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, and <=7.0.10. The attack vector is network-based, requiring only HTTP(S) access to the vulnerable API. The endpoints and file paths used in the attack are clearly defined in the code, making this a highly operational and weaponized exploit.

This repository contains a single Python exploit script (CVE-2025-25257.py) targeting CVE-2025-25257, a critical unauthenticated SQL injection vulnerability in FortiWeb systems. The exploit abuses the /api/fabric/device/status endpoint, injecting SQL via the Authorization header to write a shell script (webshell) to /migadmin/cgi-bin/x.cgi using SQL INTO OUTFILE. It then uses a Python hook (written to /var/log/lib/python3.10/pylab.py and triggered via /cgi-bin/ml-draw.py) to set executable permissions on the webshell. Once deployed, the webshell allows arbitrary command execution by sending commands in the User-Agent header to /cgi-bin/x.cgi. The repository includes a README with detailed usage instructions, attack flow, and mitigation advice. The exploit is fully automated, requiring only the target URL as input, and demonstrates a complete chain from SQL injection to remote code execution. No detection scripts or fake code are present; this is a functional, operational exploit.

This repository provides a Python-based exploit and vulnerability checker for CVE-2025-25257, a critical SQL injection and remote code execution vulnerability in FortiWeb devices. The repository contains two main scripts: 'vuln_check.py' (the primary exploit and checker) and 'exp.py' (a command execution tool for already-exploited targets). The exploit works by abusing the '/api/fabric/device/status' endpoint via a crafted Authorization header to perform SQL injection, which is then used to write a shell script (webshell) to '/migadmin/cgi-bin/x.cgi'. The webshell allows arbitrary command execution by sending commands in the HTTP User-Agent header. The exploit also uploads a Python script to set executable permissions on the webshell and cleans up after itself. The tool supports scanning single or multiple targets, logs results to 'vuln.txt', and provides clear output for operational use. The code is mature, operational, and provides a working payload for remote code execution on vulnerable FortiWeb devices.

This repository contains a Python exploit for CVE-2025-25257, a pre-authentication SQL injection vulnerability in Fortinet FortiWeb appliances. The exploit script (exploit.py) can detect vulnerable versions by querying the /api/fabric/device/status endpoint and parsing the version information. If the target is vulnerable, the script uses SQL injection to upload a persistent shell script webshell to /migadmin/cgi-bin/x.cgi, which can be triggered via HTTP requests with commands sent in the User-Agent header. The exploit also uploads a Python script to /var/log/lib/python3.10/pylab.py to set the correct permissions on the webshell and then triggers its execution via the /cgi-bin/ml-draw.py endpoint. The README provides usage instructions and warnings about the destructive nature of the exploit. The repository is structured with a single main exploit script, a README, and a license file. The exploit is operational and provides a persistent remote shell on vulnerable FortiWeb appliances.

This repository contains a working exploit and a proof-of-concept (PoC) for CVE-2025-25257, a critical SQL injection vulnerability in Fortinet FortiWeb (tested on version 7.6.1,build1010(GA.F),241126). The main exploit file, exp.py, leverages a SQL injection in the /api/fabric/device/status endpoint to achieve remote code execution (RCE) by uploading a shell script webshell to /cgi-bin/x.cgi. The webshell executes commands received via the HTTP User-Agent header, providing an attacker with a remote shell. The exploit also manipulates file permissions using a helper Python script written to /var/log/lib/python3.10/pylab.py. The signed.py file demonstrates arbitrary file read and write primitives using the same SQL injection vector, allowing an attacker to exfiltrate sensitive files (e.g., /etc/passwd) or write arbitrary files to the filesystem. The repository is well-structured, with clear separation between the full exploit and the PoC for file operations. No detection scripts are present; both scripts provide real exploit capabilities. The attack vector is network-based, requiring access to the vulnerable API endpoint over HTTPS.