New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Pandora FMS RCE and SQLi module #2985
Conversation
Thanks for the update. You're not actually replacing the current Pandora exploit, though. You're adding another one. It would make more sense to simply update the file in my opinion. |
@wchen-r7 Sorry, I'm confused. Has PR #2979 already been fully merged? Also this PR includes the changes requested by @jlee-r7 and @jvazquez-r7 |
@wchen-r7 no, this is a different bug. |
Ah ok. My bad. |
I have no idea what is up with #2979, but i'll take this one. |
'uri' => normalize_uri(uri, "index.php") | ||
}) | ||
|
||
if res && res.code == 200 and res.body =~ /Pandora FMS - the Flexible Monitoring System/ && res.body =~ /(?<=xx-small;">v)(.*?)(?=<\/td>)/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't use and
. &&
instead, please
@jlee-r7 Is everything good with the latest commit? I just wanted to make sure that I addressed all of your change requests. |
Improvements for PandoraFMS SQLi module
Thanks @pyoor ! waiting to listen from travis and testing... |
Exploits looks like working:
but not the check method:
|
return Exploit::CheckCode::Unknown | ||
end | ||
|
||
if version && version <= "4.1.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't look consistent with the description, maybe a typo :?
I would recommend change the filename to be snake_case compliant:
|
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::FileDropper |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like you're not using FileDropper, but cleaning by yourself in cleanup.
ping @pyoor, do you mind to take care of the comments please? thanks! |
Looks like the author has abandoned this one :( I'm going to try to make the clean up by myself, and hopefully landing. |
Finished the PR by myself, see final result here: c82acfe Thanks @pyoor for your submission. If you don't feel comfortable with any change in the landed version, please feel free to do a new pull request. Finished clean up by myself because it lived in the pull request queue too much time. Thanks!
|
***This is a corrected PR to replace PR #2979
Remote Code Execution in Pandora FMS 5.0 SP2 and below (Tested on 4.0.2/4.1.1/5.0SP2 appliances).
How to replicate the vulnerable environment:
Download Pandora FMS 5.2 SP2: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%205.0/FinalSP2/PandoraFMS5.0SP2-131226_64bit.iso/download
This module performs several steps in order to gain RCE. First, the module attempts to authenticate using default credentials. If this fails a SQL injection vulnerability affecting the mobile login form is exploited. Pandora FMS implements an "Auto login" hash which stores plaintext passwords in the database. Leveraging the SQLi, the plain-text password is extracted and used to authenticate. Once authenticated, this module will leverage the file manager functionality in order to upload a PHP payload.
If all methods fail the SQLi is leveraged in order to extract the admin MD5 password hash for offline cracking.
Using default credentials:
Using "Auto login" hash mechanism:
Resort to password extraction: