Unauthenticated SQL Injection and RCE in FreePBX Endpoint Manager

Small standalone Python exploit repository containing one main PoC script, a README, and a requirements file. The core file, CVE-2025-57819.py, implements a full exploit chain against FreePBX's endpoint module for CVE-2025-57819. The script targets the unauthenticated /admin/ajax.php endpoint over HTTPS and abuses the brand parameter in requests routed to module=FreePBX\modules\endpoint\ajax. It first verifies error-based SQL injection using EXTRACTVALUE, then uses SQLi write capability to plant a cron job that drops a base64-decoded PHP webshell (shell.php) into the web root. After waiting for cron execution, it interacts with the webshell via the cmd GET parameter to run commands as the asterisk user, performs reconnaissance, and then escalates privileges by writing incron/fwconsole hook material under /var/spool/asterisk/incron using the api.fwconsole-commands trigger. The final stage is a reverse shell callback to operator-supplied LHOST:LPORT, yielding root access. The script also supports optional cleanup of artifacts. Repository structure is minimal and purpose-built: README.md documents the attack chain, affected versions (15.x/16.x/17.x with patched versions listed), setup, and usage; requirements.txt lists requests and urllib3 dependencies. Overall, this is an operational end-to-end exploit rather than a detector or partial PoC.

This repository is a compact two-file exploit PoC targeting FreePBX by chaining two vulnerabilities: CVE-2025-57819 for stacked SQL injection and CVE-2025-61678 for authenticated arbitrary file upload leading to RCE. The repository contains a short README describing the chain and a single Python exploit script as the operational entry point. The exploit flow in exploit.py is straightforward and fully weaponized enough for practical use, though payloads and target values are hardcoded. First, the SQLi class abuses the /admin/ajax.php Endpoint Manager model handler by sending crafted GET parameters with a malicious brand value. The injected SQL first deletes any existing ampusers row for the chosen username, then inserts a new administrator account into the asterisk.ampusers table with a SHA1 password hash and wildcard sections value. This gives the attacker valid FreePBX admin credentials. Next, authenticate() uses requests.Session to interact with /admin/config.php and /admin/ajax.php?module=userman&command=checkPasswordReminder, then posts the injected credentials to the admin interface to establish an authenticated session. Finally, the RCE class abuses the authenticated upload endpoint /admin/ajax.php?module=endpoint&command=upload_cust_fw. It submits multipart form data with a traversal-style fwbrand value ../../../var/www/html/shell_dir_1 so the uploaded file lands in a web-accessible directory. The uploaded payload is a minimal PHP webshell using system($_REQUEST[md5('cmd')]). The script then computes the expected shell URL and enters an interactive loop, sending attacker-supplied commands to the webshell and printing command output. Overall capability: unauthenticated-to-authenticated privilege creation via SQL injection, followed by authenticated arbitrary file upload and interactive remote command execution on the FreePBX host. The code is a real exploit, not a detector, and is best classified as OPERATIONAL because it includes a working hardcoded payload and exploitation chain but is not part of a larger reusable framework.

Repository contains two files: a README describing the exploit chain and one Python script, full_exlpoit.py, which is the operational entry point. The script targets CVE-2025-57819 in FreePBX’s endpoint module and automates a full unauthenticated compromise chain over HTTPS. It first sends crafted GET requests to /admin/ajax.php with module=FreePBX\modules\endpoint\ajax and a malicious brand parameter to verify error-based SQL injection and extract DB metadata (database name, version, DB user). It then uses stacked SQL queries to insert a row into the cron_jobs table so FreePBX cron execution writes a base64-decoded PHP webshell to /var/www/html/shell.php. After polling the webshell and confirming command execution as the asterisk user, the script performs light post-exploitation recon and attempts privilege escalation by generating a compressed/base64 payload embedded in a filename under /var/spool/asterisk/incron/api.fwconsole-commands.<payload>. According to the repository, incrond and sysadmin_manager process this file and invoke a signed fwconsole hook as root, allowing shell metacharacter injection through a command prefixed with 'help;' and resulting in a bash reverse shell to the attacker’s supplied LHOST:LPORT. The script also includes optional cleanup to delete the cron_jobs entry and remove the webshell. Overall, this is not a detector but a full-chain exploit PoC with hardcoded post-exploitation behavior and a customizable callback address.

This repository is a small standalone exploit repo with 3 files: LICENSE, README.md, and a single Python exploit script, exploit.py. The code is not part of a larger exploitation framework. The README documents CVE-2025-57819 affecting the FreePBX Endpoint Manager module on unpatched FreePBX 17.x, describing an unauthenticated SQL injection in the brand parameter of /admin/ajax.php that can be chained into remote code execution. The exploit script performs a full attack chain rather than simple detection. It first probes the target over HTTP, then sends a crafted GET request to /admin/ajax.php with parameters module=FreePBX%5Cmodules%5Cendpoint%5Cajax, command=model, template=x, model=model, and a malicious brand value containing stacked SQL. That SQL inserts a row into the cron_jobs table. The inserted cron command decodes a base64-encoded PHP payload and writes /var/www/html/webshell.php containing <?php system($_GET[cmd]); ?>. After waiting a configurable delay (default 65 seconds) for cron execution, the script requests /webshell.php?cmd=id to verify successful code execution. Main exploit capabilities: unauthenticated network exploitation, SQL injection against a web endpoint, persistence of a malicious cron job entry, creation of a PHP webshell in the web root, and arbitrary command execution via the cmd query parameter. The README additionally explains how an operator could use the webshell to run further commands or trigger a reverse shell, though the Python script itself only deploys and verifies the webshell. Repository structure is straightforward: exploit.py is the only code file and clear entry point; README.md provides vulnerability background, usage examples, expected output, and remediation guidance. The exploit assumes plain HTTP, a Linux-style FreePBX deployment, cron execution of cron_jobs entries, and write access to /var/www/html/.

Repository contains a small standalone exploit project with 2 files: a README and one Python script, cve_2025_57819_aio.py, which is the main entry point. The exploit targets CVE-2025-57819 in Sangoma FreePBX endpoint module and is not part of a larger exploitation framework. The Python code implements an unauthenticated web attack against /admin/ajax.php using module=FreePBX\modules\endpoint\ajax, command=model, and a malicious brand parameter to inject SQL. Its primary capability is to insert a row into the cron_jobs table so the target executes an attacker-controlled command every minute, yielding RCE as the asterisk user. In staged mode, it generates or reuses an ELF reverse shell payload, hosts it on a local HTTP server bound to 0.0.0.0:<STAGE_PORT>, starts a TCP listener on 0.0.0.0:<LPORT>, and relies on the victim to fetch http://<LHOST>:<STAGE_PORT>/<payload_file> and connect back. It also includes cleanup logic that deletes the inserted cron job via a second SQL injection. A secondary mode, --create-user, uses SQL injection to create a new FreePBX administrator account and then verifies access by POSTing to /admin/ajax.php?module=userman&command=checkPasswordReminder, referencing /admin/config.php as the admin panel. Overall, this is an operational exploit with real post-exploitation capability, not merely a detector or README-only PoC.

This repository is a small, focused exploit repo containing 2 files: a README and a single Python exploit script. The code is a one-shot unauthenticated exploit for CVE-2025-57819 affecting FreePBX Endpoint Manager. It chains an error-based SQL injection in the unauthenticated AJAX handler at /admin/ajax.php into remote code execution by inserting a malicious row into the FreePBX cron_jobs database table. The exploit structure is straightforward: exploit.py defines helper output functions, a Linux-specific interface IP discovery routine, a FreePBXExploit class implementing the SQLi primitive, and a main routine that orchestrates exploitation. The SQLi primitive sends GET requests to /admin/ajax.php with module=FreePBX\modules\endpoint\ajax, command=model, template=x, model=model, and a malicious brand parameter. It uses EXTRACTVALUE-based error extraction to leak query results in chunks, first to confirm vulnerability by reading VERSION(), then to verify that a malicious cron_jobs row was inserted. For code execution, the script builds a bash reverse-shell command and injects it via a stacked INSERT INTO cron_jobs statement. It then starts a local TCP listener, waits for the target's cron subsystem to execute the row, accepts the callback, attempts a PTY upgrade using python3 and /bin/bash, and finally removes the cron job with a stacked DELETE query. This makes the exploit operational rather than a mere PoC: it includes end-to-end exploitation, callback handling, shell interaction, and cleanup. There are no hardcoded victim IPs or external C2 servers in the code. The main network target is the user-supplied FreePBX base URL, while the callback destination is attacker-controlled via --ip/--interface and --port. The README also documents additional files that are not present in this analyzed snapshot, so the actual repository contents here are limited to the main exploit and documentation.

This repository is a compact two-file exploit PoC for chaining two FreePBX vulnerabilities into unauthenticated remote code execution. The structure is simple: README.md documents the attack chain, affected versions, and usage examples; exploit.py contains the full exploit logic and is the sole executable entry point. The Python exploit targets FreePBX 16 and automates a four-stage attack. First, it sends unauthenticated GET requests to /admin/ajax.php with crafted parameters module=FreePBX\modules\endpoint\ajax, command=model, template=x, model=model, and a malicious brand value containing stacked SQL. That SQL deletes any prior matching username and inserts a new administrator directly into the asterisk.ampusers table with wildcard section access. Second, it authenticates to /admin/config.php using the newly created credentials. Third, it abuses the authenticated Endpoint Manager firmware upload handler at /admin/ajax.php?module=endpoint&command=upload_cust_fw by supplying fwbrand=../../../var/www/html/<random_dir>, causing path traversal out of the firmware directory and writing a PHP webshell into the web root. The exploit sets a Referer header to /admin/config.php?display=epm_advanced to satisfy request checks. Fourth, it verifies code execution by calling the uploaded shell with a cmd parameter and either runs a single command or launches one of several reverse shell payloads. Main capabilities include: unauthenticated SQL injection, creation of a persistent admin account, authenticated arbitrary file upload with traversal, deployment of a PHP command webshell, arbitrary command execution over HTTP, and reverse shell callback to an attacker host. The reverse shell payloads include bash /dev/tcp, mkfifo+nc, and python3 socket/pty variants. The exploit uses requests for HTTP session handling and optionally pwntools to start a listener and provide an interactive shell. There are no hardcoded victim domains or IPs; the target host and optional callback host/port are supplied at runtime. Fingerprintable target paths and artifacts include /admin/ajax.php, /admin/config.php, /admin/ajax.php?module=endpoint&command=upload_cust_fw, traversal to ../../../var/www/html/<dir>, the dropped .php webshell path, the asterisk.ampusers database table, and /tmp/f used by one shell variant. Overall, this is a real operational exploit PoC rather than a detector: it performs end-to-end compromise of a vulnerable FreePBX instance and provides immediate post-exploitation command execution.

This repository contains a critical exploit for CVE-2025-57819, a SQL injection vulnerability in FreePBX versions 15-17 (prior to 15.0.66, 16.0.89, and 17.0.3) affecting the commercial 'endpoint' module. The main exploit script ('Blackash-CVE-2025-57819') is a Python 3 tool that performs unauthenticated SQL injection via specific FreePBX endpoints, allowing authentication bypass and remote code execution (RCE). The script checks for vulnerability by sending time-based SQLi payloads to endpoints such as '/admin/ajax.php?module=userman&command=checkPasswordReminder' and '/ucp/ajax.php?module=userman&command=checkPasswordReminder'. Upon successful exploitation, it uploads a persistent webshell and provides an interactive shell for the attacker. The repository also includes a Nuclei YAML template ('CVE-2025-57819.yaml') for detection of vulnerable FreePBX instances, and a detailed README with background, indicators of compromise, mitigation steps, and usage instructions. The exploit is operational, providing a working attack chain from detection to RCE, and is intended for use against network-accessible FreePBX servers.

This repository provides two Python proof-of-concept scripts targeting CVE-2025-57819, a critical unauthenticated SQL injection vulnerability in FreePBX (versions ≤15.0.65, ≤16.0.88, ≤17.0.2). The vulnerability allows remote attackers to execute arbitrary SQL queries via the /admin/ajax.php endpoint, specifically through the 'module' parameter. - 'poc_admin.py' exploits the vulnerability to create a new admin user with a known password by injecting a crafted SQL statement. The script takes a target URL as input and prints the credentials for the new admin user. - 'poc_auto_get_username_pass.py' automates the use of sqlmap to extract all usernames and password hashes from the ampusers table across multiple FreePBX targets. It reads a list of target URLs from a file, runs sqlmap for each, and saves the output in a log directory. Both scripts require Python 3, and the second script requires a local copy of sqlmap. The main attack vector is remote, unauthenticated access to the vulnerable /admin/ajax.php endpoint. The repository is structured with clear documentation (README.md) and two functional exploit scripts, making it a practical resource for security researchers and penetration testers.

This repository contains a single exploit script (exploit.py) targeting CVE-2025-57819, a critical unauthenticated SQL injection vulnerability in the commercial 'endpoint' module of FreePBX versions 15-17. The exploit is written in Python and is executed via the command line, taking a target URL as its argument. The script first checks the accessibility of the target, then attempts to detect the vulnerability by sending time-based SQL injection payloads to several known endpoints. If the target is found to be vulnerable, the script proceeds to extract database information, upload a PHP webshell to the server, and establish persistence. The attacker is then provided with an interactive shell interface for remote command execution. The exploit is operational and provides a working attack chain from detection to post-exploitation. The main fingerprintable endpoints are the FreePBX AJAX endpoints used for the SQL injection. The repository is structured simply, with a README, LICENSE, and the main exploit script.

This repository contains a single Python exploit script (exploit.py) targeting CVE-2025-57819, a critical unauthenticated SQL injection vulnerability in the commercial 'endpoint' module of FreePBX versions 15-17. The exploit works by sending crafted POST requests to specific FreePBX endpoints to test for and exploit SQL injection. Upon confirming the vulnerability, it extracts database information, uploads a PHP webshell to the target server, and provides an interactive shell for remote command execution. The script is operational and automates the full attack chain from detection to post-exploitation. The README provides basic usage instructions, and the LICENSE is MIT. The main entry point is exploit.py, which is invoked with the target URL as an argument. The exploit is not part of a framework and is a standalone operational exploit.