POC详情: 29cacf46ce1d02ea10f6267381d66296db99f984

来源
https://github.com/Rickster5555/EH2-PoC
关联漏洞
标题: Cacti 命令注入漏洞 (CVE-2022-46169)
描述:Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。 Cacti v1.2.22版本存在命令注入漏洞,该漏洞源于未经身份验证的命令注入,允许未经身份验证的用户在运行Cacti的服务器上执行任意代码。
描述
A simple PoC for CVE-2022-46169 a.k.a Cacti Unauthenticated Command Injection, a vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22
介绍
# Cacti Unauthenticated Command Injection (CVE-2022-46169)
This is a simple PoC adaptation of the Vulnhub's Cacti scenario. You can check it out [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)

Cacti is a robust and extensible operational monitoring and fault management framework for users around the world. A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22, if a specific data source was selected for any monitored device.

References:

- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
- <https://nvd.nist.gov/vuln/detail/CVE-2022-46169>

## Vulnerability Environment

Execute following command to start a Cacti server 1.2.22:

```bash
# Compile environment
docker compose build

# Run environment
docker compose up -d
```

After the server is started, you will see the login page at `http://localhost:8080`.

Then login as admin/admin, follow the instructions to initialize the application. Actually, just click the "next button" again and again before you see the success page.


Before you can exploit this vulnerability, you have to add a new "Graph" because the command injection is occurred not in the default graph type:

![](2.png)

Select the graph type "Device - Uptime", and click the "Create" button:

![](3.png)

## Exploit

After complete the above initialization, you will change your role to a attacker. Just use following script as shown to send a request to the Cacti server to trigger the command injection attack:

![](1.png)

Although no command result in the response, you can find the `/tmp/test.txt` has been created successfully.

![](5.png)
文件快照

 [4.0K]  /data/pocs/29cacf46ce1d02ea10f6267381d66296db99f984
├── [114K]  1.png
├── [ 22K]  2.png
├── [ 46K]  3.png
├── [ 77K]  4.png
├── [384K]  5.png
├── [1.5K]  cacti-CI-poc.py
├── [ 348]  docker-compose.yml
├── [ 648]  entrypoint.sh
└── [1.7K]  README.md

0 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。