# Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)# Date: 19/12/2020# Exploit Author: Haboob Team (https://haboob.sa)# Vendor Homepage: https://www.nagios.com/products/nagios-xi/# Version: Nagios XI 5.7.x# Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor...
密钥在数据库中的位置为:nagiosxi.xi_users。 使用的到的密钥,利用API进行添加Nagios XI管理员用户,API地址为 /nagiosxi/api/v1/system/user?apikey= 在获得Nagios XI管理员身份后。可以利用CVE-2018-8735进行命令注入。 利用命令注入,将Playload写入/usr/local/nagiosxi/scripts/的脚本中,因为该目录下的脚本都...
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': msf > use exploit/linux/http/nagios_xi_mibs_authenticated_rce msf exploit(nagios_xi_mibs_authenticated_rce) > show targets ...targets... msf exploit(nagio...
albinolobster@ubuntu:~/metasploit-framework$ ./tools/dev/msftidy.rb lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb - [ERROR] Unable to determine super class lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb - [ERROR...
4月底,Nagios XI 被爆出存在SQL注入,权限提升,命令注入等多个漏洞。CVE编号分别为CVE-2018-8733,CVE-2018-8734,CVE-2018-8735,CVE-2018-8736。随后漏洞PoC被爆出。 近期,Nagios XI 已发布安全更新,360-CERT对该组漏洞进行深入分析。 漏洞细节 CVE-2018-8733 ...
This documentation attempts to explain how you can exploit the (somewhat) hidden features oftemplate-based object definitionsto save your sanity. How so, you ask? Several types of objects allow you to specify multiple host names and/or hostgroup names in definitions, allowing you to "copy" the...
https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.10-64.ova 相应的漏洞利用代码,参见下列地址: https://www.exploit-db.com/exploits/44560/ 此外,Offensive Security提供的AWAE培训基本上就是一个漏洞链接方面的课程。 CVE-2018-8734:SQL注入漏洞(还未认证) ...