This module exploits a vulnerability (CVE-2020-13851) in Pandora
FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps
older versions) in order to execute arbitrary commands.
This module takes advantage of a command injection vulnerability in the
`Events` feature of Pandora FMS. This flaw allows users to execute
arbitrary commands via the `target` parameter in HTTP POST requests to
the `Events` function. After authenticating to the target, the module
attempts to exploit this flaw by issuing such an HTTP POST request,
with the `target` parameter set to contain the payload. If a shell is
obtained, the module will try to obtain the local MySQL database
password via a simple `grep` command on the plaintext
`/var/www/html/pandora_console/include/config.php` file.
Valid credentials for a Pandora FMS account are required. The account
does not need to have admin privileges.
This module has been successfully tested on Pandora 7.0 NG 744 running
on CentOS 7 (the official virtual appliance ISO for this version).
msf > use exploit/linux/http/pandora_fms_events_exec
msf exploit(pandora_fms_events_exec) > show targets
...targets...
msf exploit(pandora_fms_events_exec) > set TARGET < target-id >
msf exploit(pandora_fms_events_exec) > show options
...show and set options...
msf exploit(pandora_fms_events_exec) > exploit
Vulmon