0xma Cyber Security Articles




June 14, 2022

SQL Injection Vulnerability in Artica Pandora FMS 742 (CVE-2021-32099) - Example 02

In this tutorial, we will see how to perform a SQL injection on the Artica Pandora FMS using sqlmap. This will allow us to read SESSION IDs from the database and we will see how to use wfuzz to find a valid SESSION ID and login as another user on the target.

This page contains more information about this vulnerability.

Visiting the console page presents a login page.

Pandora login console page.

Let's browse to "chart_generator.php" console page. The response is "Access Is Not Granted".

Browsing 'chart_generator.php' page in Artica Pandora FMS.

Adding the "session_id" parameter with the value of a (') single-quote results in a SQL error. This can be an indication of a SQL injection vulnerability.

Performing SQL injection on Artica Pandora FMS.

Copy the request from Burp Suite to a file.

Copying the SQL injection attempt from Burp Suite to a file.

This shows the captured request. Note that I have changed the value of the "session_id" parameter from a single-quote to 1.

Changing the value of 'session_id' parameter from a single-quote to one.

Running sqlmap with the "--dbs" option displays all the database names. There are two databases: information_schema and pandora.

Running sqlmap to find database names. Running sqlmap to find database names.

It shows all the tables in the "pandora" database. It was able to find 178 tables.

Running sqlmap to find tables in a database. Running sqlmap to find tables in a database.

It dumps the contents of the "tsessions_php" table. We can see that this table contains a bunch of session IDs.

Running sqlmap to dump the contents of a table. Running sqlmap to dump the contents of a table.

Let's save all the session IDs in a file called "session_ids.txt".

Saving the session IDs in a file.

Running wfuzz with the session IDs in the file shows that one of the them produces an output with a different length.

Running wfuzz to find the distinct session ID. Running wfuzz to find the distinct session ID.

Right-click on the browser window and click on Inspect. Click on the Storage tab and paste in the session ID.

Pasting the valid session ID in the browser.

Refresh the web page and now you have admin privileges on the FMS.

Refreshing the page to get admin privileges on the FMS.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.