This is a simple PoC adaptation of the Vulnhub's Cacti scenario. You can check it out here
Cacti is a robust and extensible operational monitoring and fault management framework for users around the world. A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22, if a specific data source was selected for any monitored device.
References:
- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
- https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A
- https://nvd.nist.gov/vuln/detail/CVE-2022-46169
Execute following command to start a Cacti server 1.2.22:
# Compile environment
docker compose build
# Run environment
docker compose up -d
After the server is started, you will see the login page at http://localhost:8080
.
Then login as admin/admin, follow the instructions to initialize the application. Actually, just click the "next button" again and again before you see the success page.
Before you can exploit this vulnerability, you have to add a new "Graph" because the command injection is occurred not in the default graph type:
Select the graph type "Device - Uptime", and click the "Create" button:
After complete the above initialization, you will change your role to a attacker. Just use following script as shown to send a request to the Cacti server to trigger the command injection attack:
Although no command result in the response, you can find the /tmp/test.txt
has been created successfully.