.. / CVE-2023-40931

Exploit for Nagios XI 5.11 - SQL Injection (CVE-2023-40931)

Description:

A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php

Proof of Concept

PoC exploit

Try the exploit in a lab environment:

Lab Machine Link
Hack The Box Monitored Go to Practice

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-40931
https://outpost24.com/blog/nagios-xi-vulnerabilities/
https://www.nagios.com/products/security/