OS Command Injection in Fortinet FortiSandbox API

This repository is a small standalone Python exploit/scanner for Fortinet FortiSandbox command injection, targeting CVE-2026-39808. It contains two files: a detailed README and one executable Python script, fortisandbox_rce.py. The script is the sole code artifact and likely the only entry point. The exploit’s purpose is twofold: first, verify whether a remote FortiSandbox instance is vulnerable; second, optionally execute arbitrary OS commands as root without authentication. The attack is delivered over HTTP(S) to the web endpoint /fortisandbox/job-detail/tracer-behavior by injecting shell metacharacters into the jid parameter. The repository documentation and code indicate that command output is redirected to /web/ng/out.txt on the target and then fetched back through the web path /ng/out.txt, giving the operator a simple blind-to-reflected output channel. Operationally, the script uses Python standard-library networking (urllib, ssl) and disables TLS certificate validation, making it suitable for scanning appliances with self-signed certificates. It supports a single URL or bulk input from stdin, optional proxying, timeout and rate-limit controls, JSON reporting, and pipeline-friendly behavior by printing vulnerable URLs to stdout. The README describes a multi-step verification process with false-positive reduction, and the code snippet confirms the presence of fingerprinting logic, vulnerable-path checks, and response filtering signatures intended to distinguish real command output from normal HTML/login pages. This is not just a detector: it includes active exploitation capability via a user-provided command (--cmd), with examples such as id, uname -a, and cat /etc/passwd. Because the payload is basic but functional and directly executes attacker commands, the maturity is best classified as OPERATIONAL rather than a pure POC. No external exploit framework is used.

This repository is a small exploit repo with 3 files: a Python PoC, a Nuclei template, and a README. Because it includes a Nuclei template, it is part of a framework; the main exploit logic is captured in CVE-2026-39808.yaml, while the Python script provides a standalone implementation of the same attack chain. The exploit targets Fortinet FortiSandbox and chains an unauthenticated access check against /api/v1/system/firmware (described as CVE-2026-39813 auth bypass) with a command injection in /fortisandbox/job-detail/tracer-behavior via the jid parameter (CVE-2026-39808). The injected command writes output to /web/ng/out.txt, which is then retrieved from /ng/out.txt to confirm root-level execution. The Nuclei template fingerprints the login page, extracts version information, triggers a benign id payload, and verifies success by matching uid=0/gid=0 in the output. Overall, this is a real unauthenticated web RCE PoC for vulnerable FortiSandbox versions, providing root command execution and simple output exfiltration through a web-accessible file.