0xma Cyber Security Articles

June 09, 2022

SQL Injection Vulnerability in Artica Pandora FMS 742 (CVE-2021-32099) - Example 01

In this tutorial, we will see how to perform a SQL injection attack in the pandora_console component of the Artica Pandora FMS 742. It allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php "session_id" parameter which leads to login bypass.

This page contains more information about this exploit.

Paste in this URL in the browser.

URL with the SQL injection.

Browsing this URL displays a blank page.

Running the SQL injection in the browser.

Browse to the "/pandora_console/" page or if you are already on that page then refresh it. It logs us in as admin.

Browsing to '/pandora_console/' to get admin privileges.

This simple PHP script will run whatever command we pass to the "cmd" parameter.

PHP script to run commands.

Click on "Admin tools" and then click on "File manager".

Navigating to the 'File manager' page to upload the PHP script.

It shows a bunch of images. Click on "Upload file(s)".

Clicking on 'Upload file(s)'.

Click on Browse.

Clicking on Browse.

Select the PHP file.

Selecting the PHP file.

Click on Go.

Clicking on Go.

Now we can utitlize the PHP script to run commands on the server. It runs the whoami command.

Running the 'whoami' command on the target using curl through command injection.

Let's run a Bash reverse shell.

Running Bash reverse shell using curl through command injection.

It is important to have netcat listening before running the reverse shell.

Receiving the reverse shell with netcat.

We can also upload a PHP reverse shell script to the target. Let's copy this script to the current working directory.

Finding a PHP reverse shell script on the system.

Enter in your own IP address and the port on which you will be listening.

Entering in the IP address and port number to listen on.

Run the PHP reverse shell script using curl.

Running PHP reverse shell script using curl.

And we get a reverse shell on our netcat listener.

Receiving the reverse shell with netcat.

If you liked reading this article, you can follow me on Twitter: mujtabareads.