piątek, 13 marca 2020

Postauth SQLi in latest NagiosXI 5.6.11

Yesterday I found that latest NagiosXI (5.6.11) is vulnerable to multiple (postauth) XSS bugs. Today I decided to continue the research to find out if I will find some other bug(s). Below you will find the details. Here we go...
Today we will start again here:


As I mentioned before - version I tried is 5.6.11. I started downloaded VM on VirtualBox again.


TL;DR

Because I enabled display_error in PHP config I was able to see the error message presented on the screen below:



It's always easier to find some more interesting bugs (without so-much-code-review;)). For example, with the 'error message' found in response I decided to use request as an input file for sqlmap just for a quick verification if this is exploitable bug:



After a while I was able to get inside the Nagios-database and/or dump it all to the Kali VM:



Little "proof-of-concept"**:



Checking --sql-shell parameter to grab the @@version:


Checking if dumping users table is possible:

Sure. :)

So it looks like with "display_error = On" your Nagios server is vulnerable to this attack.

See you next time! ;)

Cheers




  ** working poc will be disclosed only to patron/donate users ;)



Brak komentarzy:

Prześlij komentarz