Module: Msf::Exploit::Remote::HTTP::NagiosXi::Login
- Includes:
- URIs
- Included in:
- Msf::Exploit::Remote::HTTP::NagiosXi, Install
- Defined in:
- lib/msf/core/exploit/remote/http/nagios_xi/login.rb
Instance Method Summary collapse
-
#clean_cookies(pre_auth_cookies, auth_cookies) ⇒ String?
Compares cookies obtained before and after authentication and modifies the latter to remove cookies that may cause session timeouts.
-
#get_nsp(res) ⇒ String?
Grabs the nsp_str value from an HTTP response using regex.
-
#login_after_install_or_license(username, password, finish_install) ⇒ Array
Performs an authentication attempt.
-
#nagios_xi_login(user, pass, finish_install) ⇒ Array
performs a Nagios XI login.
-
#visit_nagios_dashboard(auth_cookies, finish_install) ⇒ Array
Performs an HTTP GET request to the Nagios XI backend to verify if authentication succeeded.
Methods included from URIs
#nagios_xi_backend_url, #nagios_xi_install_url, #nagios_xi_login_url
Instance Method Details
#clean_cookies(pre_auth_cookies, auth_cookies) ⇒ String?
Compares cookies obtained before and after authentication and modifies the latter to remove cookies that may cause session timeouts
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/msf/core/exploit/remote/http/nagios_xi/login.rb', line 90 def (, ) if .nil? || .nil? return nil end # Nagios XI may sometimes send the cookie `nagiosxi=deleted;` as part of the cookies after authentication. # This was observed when trying to access Nagios XI 5.3.0 when the license agreement had not been accepted yet. # The `nagiosxi=deleted;` cookie should be filtered out, since it may break authentication. if .include?('nagiosxi=deleted;') = .gsub('nagiosxi=deleted;', '').strip end # Remove duplicate cookies, necessary to make the next check work in case multiple # identical cookies were set (as observed on older Nagios versions) = .split(' ') .uniq! = .join(' ') # For newer Nagios XI versions, we need to remove the pre_auth cookies from the auth_cookies # string, otherwise the session will timeout. However, older Nagios XI versions use a single cookie # which has the same name both before and after authentication. unless == if .include?() = .gsub(, '').strip end end end |
#get_nsp(res) ⇒ String?
Grabs the nsp_str value from an HTTP response using regex
166 167 168 |
# File 'lib/msf/core/exploit/remote/http/nagios_xi/login.rb', line 166 def get_nsp(res) nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/)&.flatten&.first end |
#login_after_install_or_license(username, password, finish_install) ⇒ Array
Performs an authentication attempt. If the server does not return a response, a second attempt is made after a delay of 5 seconds
177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
# File 'lib/msf/core/exploit/remote/http/nagios_xi/login.rb', line 177 def login_after_install_or_license(username, password, finish_install) # After installing Nagios XI or signing the license agreement, we sometimes don't receive a server response. # This loop ensures that at least 2 login attempts are performed if this happens, as the second one usually works. second_attempt = false while true login_result, = nagios_xi_login(username, password, finish_install) break unless == ['Connection failed'] if second_attempt print_warning('The server is still not responding. If you wait a few seconds and rerun the module, it might still work.') break else print_warning('No response received from the server. This can happen after installing Nagios XI or signing the license agreement') print_status('The module will wait for 5 seconds and retry.') second_attempt = true sleep 5 end end return [login_result, ] end |
#nagios_xi_login(user, pass, finish_install) ⇒ Array
performs a Nagios XI login
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# File 'lib/msf/core/exploit/remote/http/nagios_xi/login.rb', line 11 def nagios_xi_login(user, pass, finish_install) print_status('Attempting to authenticate to Nagios XI...') # Visit the login page in order to obtain the cookies and the `nsp_str` token required for authentication res_pre_login = send_request_cgi({ 'method' => 'GET', 'uri' => nagios_xi_login_url, }) unless res_pre_login return [1, ['Connection failed']] end unless res_pre_login.code == 200 && res_pre_login.body.include?('>Nagios XI<') # Check if we are perhaps dealing with a Nagios XI app that hasn't been fully installed yet unless res_pre_login.code == 302 && res_pre_login.body.include?('>Nagios XI<') && res_pre_login.headers['Location'].end_with?('/install.php') return [3, ['Target is not a Nagios XI application']] end print_warning('The target seems to be a Nagios XI application that has not been fully installed yet.') unless finish_install return [2, ['You can let the module complete the installation by setting `FINISH_INSTALL` to true.']] end return [4, [nil]] end # Grab the necessary tokens required for authentication nsp = get_nsp(res_pre_login) if nsp.nil? return [2, ['Unable to obtain the value of the `nsp_str` token required for authentication']] end = res_pre_login. if .blank? return [2, ['Unable to obtain the cookies required for authentication']] end # authenticate res_login = send_request_cgi({ 'method' => 'POST', 'uri' => nagios_xi_login_url, 'cookie' => , 'vars_post' => { 'nsp' => nsp, 'pageopt' => 'login', 'username' => user, 'password' => pass } }) unless res_login return [1, ['Connection failed']] end unless res_login.code == 302 && res_login.headers['Location'] == 'index.php' return [2, ['Received unexpected reply while trying to authenticate. Please check your credentials.']] end # Grab the cookies = res_login. if .blank? return [2, ['Unable to obtain the cookies required for authentication']] end # Make sure we only use the cookies we need, otherwise we may encounter a session timeout = (, ) # Try to visit the dasboard visit_nagios_dashboard(, finish_install) end |
#visit_nagios_dashboard(auth_cookies, finish_install) ⇒ Array
Performs an HTTP GET request to the Nagios XI backend to verify if authentication succeeded
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/msf/core/exploit/remote/http/nagios_xi/login.rb', line 124 def visit_nagios_dashboard(, finish_install) # Visit the index page to verify we successfully authenticated res_index = send_request_cgi({ 'method' => 'GET', 'uri' => nagios_xi_backend_url, 'cookie' => }) unless res_index return [1, ['Connection failed']] end unless res_index.code == 200 && res_index.body.include?('>Home Dashboard<') # Check if we need to sign the license agreement unless res_index.code == 302 && res_index.headers['Location'].end_with?('login.php?showlicense') return [2, ['Received unexpected reply while trying to acess the NagiosXI home dashboard after authenticating.']] end print_warning('The Nagios XI license agreement has not yet been signed on the target.') unless finish_install return [2, ['You can let the module sign the Nagios XI license agreement by setting `FINISH_INSTALL` to true.']] end nsp = get_nsp(res_index) if nsp.nil? return [2, ['Failed to obtain the nsp token required for signing the license agreement.']] end return [5, [, nsp]] end # Return the HTTP resonse body and the authentication cookies. # The response body can be used to obtain the version number. # The cookies can be used by exploit modules to send authenticated requests. [0, [res_index.body, ]] end |