Whomever created these 2 new sql injection snort alerts for nagios didn't include documentation.
1 41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_uri; pcre:"/[?&]host=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41019; rev:1; )
1 41018 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]host=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41018; rev:1; )
If I had to guess I think it's related to this disclosure or something similar which stated.
The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are vulnerable to SQL injection via error-based payloads
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment