CVE-2021-40345 PoC — Nagios XI 命令注入漏洞

Source

https://github.com/ArianeBlow/NagiosXI-RCE-all-version-CVE-2021-40345

Associated Vulnerability

Title:Nagios XI 命令注入漏洞 (CVE-2021-40345)
Description:Nagios XI是美国Nagios公司的一套IT基础设施监控解决方案。该方案支持对应用、服务、操作系统等进行监控和预警。 Nagios XI 5.8.5存在安全漏洞，该漏洞源于在Admin面板的Manage Dashlets部分，管理员可以上传ZIP文件。命令注入(在存档中的第一个文件的名称中)允许攻击者可利用该漏洞执行系统命令。

Description

RFI to RCE Nagios/NagiosXI exploitation

Readme

# NagiosXI RCE File-Upload
CVE-2021-40345

Authentified RFI to RCE Nagios/NagiosXI exploitation

Step 1 : 
Go on the "dashlets" managing page and download one of them (I'm using "rss_dashlet" for the exemple) : 
```
http://TARGET_IP/nagiosxi/admin/dashlets.php?download=rss_dashlet
```

Step 2 : 
Modify the *.inc.php (I'm gonna use a tiny PHP reverse shell oneliner in line 34 for the exemple) :

![nagios1](https://user-images.githubusercontent.com/61753065/120605130-ffea4080-c44d-11eb-9dd6-bfba1ae56403.png)

Step 3 : 
Start your listener and upload the malicious dashlet in the dashlets managing page :

![nagios2](https://user-images.githubusercontent.com/61753065/120605611-8e5ec200-c44e-11eb-9111-40ee68ac35d8.png)

And voilà, you got the shell !

File Snapshot


 [4.0K]  /data/pocs/88d408b9d359a9ed42bbe36619c0b7440cd9c1f2
├── [1.0K]  LICENSE
└── [ 757]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!