From the `cacti-exploit.py` file in this screenshot, the following key information can be obtained: ### Vulnerability Description * **Vulnerability Title**: Cacti v1.2.8 Remote Code Execution (RCE) * **Affected Version**: Cacti v1.2.8 * **Vulnerability Author**: Askar (@mohammadaskar2) * **Test Environment**: PHP 7.1.33 on CentOS 7.3 ### Vulnerability Principle Exploits a Local File Inclusion (LFI) vulnerability in the user management system of Cacti v1.2.8 to achieve RCE. The process is described in the following steps: 1. **Login**: Log in using the provided credentials and retrieve the CSRF token via HTTP request. 2. **Activate Anonymous User**: Activate the anonymous user via the page `user_admin.php?action=user_edit&id=3&tab=realms`, allowing the attacker to use the "visit" client to send requests when triggering the vulnerability. ### Exploitation Code ```python # Simulate login as guest user with uid=3 cookies = {'Cacti': quote(payload)} # Subsequent requests will trigger the vulnerability; the constructed payload will be passed to /bin/bash to execute commands on the server requests.get(url + "/graph_realtime.php?action=init", cookies=cookies) ``` From the above, it is evident that the exact location for command execution is not explicitly submitted during exploitation. However, `/graph_realtime.php?action=init` reads variables during process initialization, and the `graph_local` parameter is unrestricted and invisible, making it exploitable. This allows an attacker to trigger the vulnerability and gain a reverse shell to the attacker's machine via `nc`. ### Summary The above information confirms that a Remote Code Execution (RCE) vulnerability indeed exists in Cacti v1.2.8. Attackers can trigger the vulnerability by crafting malicious requests to execute arbitrary code remotely. It is crucial to remain vigilant, apply necessary defenses, and promptly update and patch the system to mitigate the risk.