Fortinet FortiOS SSL VPN Path Traversal Arbitrary File Read

This repository is a small standalone Python exploit tool for mass exploitation of CVE-2018-13379 against Fortinet FortiOS SSL VPN devices. It contains two files: a README describing usage and one executable script, exploit.py. The script is the main entry point and implements a multithreaded scanner/exploiter using 20 worker threads by default. Core behavior: the script reads targets from targets.txt, builds an HTTPS request to /remote/fgt_lang with a path traversal payload pointing to /dev/cmdb/sslvpn_websession, disables TLS certificate warnings, and sends the request with requests. If the response is HTTP 200 and begins with the marker 'var fgt_lang', it treats the target as vulnerable and parses the returned binary content for credential records. Extracted username/password pairs are deduplicated and immediately written to fortios_creds.csv; if PostgreSQL is configured and reachable, they are also inserted into a dynamically named table fortios_creds_<timestamp>. Repository structure is minimal and purpose-built: README.md documents installation, configuration, and expected output; exploit.py contains configuration constants, PostgreSQL connection-pool setup, credential parsing logic, CSV/DB persistence, worker-thread logic, and the main routine. This is not merely a detector: it performs active exploitation and credential harvesting. The payload is fixed rather than user-customizable, so the maturity is best classified as OPERATIONAL rather than framework-grade weaponized.

Repository contains a single Python3 exploit script plus a README. - Primary exploit file: `CVE-2018-13379` (Python). Implements an unauthenticated network exploit for Fortinet FortiGate SSL-VPN path traversal / arbitrary file read (CVE-2018-13379). It targets the SSL-VPN web portal endpoint `/remote/fgt_lang` and supplies a crafted `lang` parameter containing traversal sequences to retrieve `/dev/cmdb/sslvpn_websession`. - Capabilities: - Single-target or bulk scanning: accepts `--ip` for one target or `--file` for a list; uses `multiprocessing.Pool` with configurable `--threads` (default 10). - Exploitation and collection: performs `requests.get()` over HTTPS with certificate verification disabled and a short timeout (2s). If the response contains the marker `var fgt_lang =`, it treats the host as vulnerable, saves the raw response to `sslvpn_websession_<target>.dat`, and then parses the file. - Post-processing: `parseFile()` reads the saved file and prints printable ASCII characters in 61-byte lines (non-printables replaced with `.`), effectively dumping readable strings from the session database to the console. - Notable implementation details / limitations: - The script hardcodes HTTPS scheme; targets may include a port (e.g., `ip:10443`) which is interpolated directly into `https://{ip}/...`. - Output directory is supported via `--output` by changing the current working directory before writing files. - This is not a full RCE exploit; it is an operational data-exfiltration PoC focused on session information disclosure. - README: documents CVE, affected FortiOS version ranges, the vulnerable endpoint, and references.

This repository contains a Python exploit script (CVE-2018-13379.py) targeting the critical path traversal vulnerability CVE-2018-13379 in Fortinet FortiOS SSL VPN and FortiProxy. The exploit works by sending a specially crafted HTTPS request to the /remote/fgt_lang endpoint on the target device, using a path traversal payload to access the internal file /dev/cmdb/sslvpn_websession. If successful, the script downloads this file, saves it locally, and parses it to extract usernames and session tokens, which can be used for session hijacking. The script supports scanning single or multiple targets (with multithreading), and is intended for use against vulnerable Fortinet devices running specific versions of FortiOS or FortiProxy. The repository also includes a README with usage instructions and a license file. No fake or detection-only code is present; this is a functional exploit.

This repository contains a Metasploit auxiliary scanner module (fortios_vpnssl_traversal_leak.rb) that exploits a path traversal vulnerability (CVE-2018-13379) in the FortiOS SSL VPN web portal. The exploit targets FortiOS versions 5.4.6-5.4.12, 5.6.3-5.6.7, and 6.0.0-6.0.4, allowing unauthenticated attackers to download the /dev/cmdb/sslvpn_websession file via a crafted HTTP GET request to the /remote/fgt_lang endpoint. The module parses the downloaded file to extract cleartext VPN session credentials (usernames and passwords) and can optionally store them in the Metasploit database. The repository includes a README and a markdown description of the vulnerability, but the main exploit logic resides in the Ruby module file. The attack vector is network-based, requiring access to the SSL VPN web interface (typically on port 10443/tcp).

This repository contains a Python exploit script (cve-2018-13379.py) targeting CVE-2018-13379, a path traversal vulnerability in Fortinet FortiOS SSL VPN (versions 5.6.3-5.6.7 and 6.0.0-6.0.4). The exploit takes a file containing a list of target hosts, then for each host, sends a crafted HTTPS request to the /remote/fgt_lang endpoint with a path traversal payload to access the /dev/cmdb/sslvpn_websession file. If successful, it downloads the file, parses it to extract cleartext VPN usernames and passwords, and saves both the raw and parsed data to local files. The script is operational and automates both exploitation and credential extraction. The README is minimal and provides only a title and screenshot. The main entry point is cve-2018-13379.py, written in Python, and the attack vector is network-based, requiring access to the SSL VPN web interface.

This repository contains a Python proof-of-concept exploit for CVE-2018-13379, a path traversal vulnerability in Fortinet FortiOS SSL VPN. The main file, CVE-2018-13379.py, allows an attacker to target one or more FortiOS devices by sending a crafted HTTPS request to the /remote/fgt_lang endpoint with a path traversal payload. If successful, the exploit downloads the contents of the sensitive file '/dev/cmdb/sslvpn_websession', which may contain session information, and parses it to display printable ASCII data. The script supports multi-threaded scanning of multiple targets and can take input from a file or command line. The README provides references and lists affected FortiOS versions. No payload for code execution is included; the exploit is limited to file disclosure.

This repository contains a Python exploit script (CVE-2018-13379.py) targeting Fortinet FortiOS devices vulnerable to CVE-2018-13379, a path traversal vulnerability in the SSL VPN web interface. The exploit automates the process of sending a crafted HTTPS request to the vulnerable endpoint, allowing unauthenticated attackers to read the sensitive file '/dev/cmdb/sslvpn_websession' and extract VPN session credentials. The script supports batch exploitation by reading a list of targets from a file, processes each target in a new thread, and saves the extracted credentials to individual text files. The code also attempts to enrich the output with information from Shodan about each target. The repository includes a README with usage instructions, a .gitignore, and a GPLv3 license. The main entry point is the CVE-2018-13379.py script, which is operational and provides real credential extraction functionality against vulnerable FortiOS devices.