[FD] [CVE-2015-8377] Cacti graphs_new.php SQL Injection Vulnerability

[xiaotian.w...@dbappsecurity.com.cn]

==========================

Advisory: Cacti SQL Injection Vulnerability

Author: xiaotian.w...@dbappsecurity.com.cn

Affected Version: 0.8.8.f(the latest version & the older versions)

Vendor URL: http://www.cacti.net/

Vendor Status: Unfixed

==========================

Vulnerability Description

==========================

Vulnerable file: /cacti/graphs_new.php:

/cacti/graphs_new.php  line:35 

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

   case 'save':

             form_save(); // highlight 1

             break;

……

 Notice the Highlight codes，track function form_save()

/cacti/graphs_new.php  line:59

function form_save(){

   省略部分代码……

   if (isset($_POST["save_component_new_graphs"])) {

             host_new_graphs_save();  //highlight 2

             header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

……

Track function host_new_graphs_save()

/cacti/graphs_new.php  line:126

function host_new_graphs_save() {

   $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"])); //just unserialize,no filter

   /* form an array that contains all of the data on the previous form */

              ……

   debug_log_clear("new_graphs");

   while (list($form_type, $form_array) = each($selected_graphs_array)) {

             $current_form_type = $form_type;

             while (list($form_id1, $form_array2) = each($form_array)) {

                        /* enumerate information from the arrays stored in post variables */

                        if ($form_type == "cg") {

                                  $graph_template_id = $form_id1;

                        }elseif ($form_type == "sg") {

                                  while (list($form_id2, $form_array3) = each($form_array2)) {

                                             $snmp_index_array = $form_array3;

                                             $snmp_query_array["snmp_query_id"] = $form_id1;

                                             $snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1);

                                             $snmp_query_array["snmp_query_graph_id"] = $form_id2;  //highlight 3

                                  }

                                  $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);  //no filter, cause a sql injection.

Notice that variable $selected_graphs_array just unserialized the POST variable which we can control without filter. Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

==========================

POC && EXP

==========================

1. Login

2. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action="">

{Injection exp can be found on my server: http://pandas.pw/cacti.exp}

3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--

====================

cacti sqli(1).txt
Description: Binary data

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

• Previous message
• View by thread
• View by date
• Next message

Reply via email to