Unauthenticated RCE in Fortinet FortiNAC

This repository is a proof-of-concept exploit for CVE-2022-39952, a critical vulnerability in Fortinet FortiNAC. The exploit consists of a Python script (CVE-2022-39952.py), a sample payload file, and a README with usage instructions and technical background. The Python script creates a ZIP archive containing a user-supplied payload (typically a cron job script) and uploads it to the vulnerable keyUpload.jsp endpoint on the target FortiNAC system via HTTPS on port 8443. If successful, the payload is written to /etc/cron.d/payload on the target, allowing for arbitrary code execution. The provided payload establishes a reverse shell from the target to the attacker's machine. The exploit requires the attacker to supply a payload file and the target's IP address. The repository is operational and demonstrates a real-world attack scenario, with clear instructions and a working payload.

This repository contains a Python exploit for CVE-2022-39952, a critical vulnerability in Fortinet FortiNAC. The exploit consists of two files: a README.md with usage instructions and exploit.py, the main exploit script. The script allows an attacker to upload a malicious JSP webshell or reverse shell to a vulnerable FortiNAC server by abusing the /configWizard/keyUpload.jsp endpoint. The payload is delivered as a ZIP file containing the JSP file, which is written to /bsc/campusMgr/ui/ROOT/ on the target. The attacker can then interact with the webshell for arbitrary command execution or receive a reverse shell connection. The exploit supports targeting single or multiple hosts and can be configured for custom attacker host and port for the reverse shell. The attack vector is network-based, requiring access to the target's HTTPS interface. The exploit is operational, providing working payloads and automation for exploitation.