Cacti 1.2.22 unauthenticated command injection
Title source: metasploitExploitation Summary
CVE-2022-46169 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 16, 2023.
EIP tracks 43 public exploits from researchers including Riadh Bouchahoua, 0xf4n9x, FredBrave, including a Metasploit module exploits/linux/http/cacti_unauthenticated_cmd_injection.
A Nuclei detection template is also available.
AI-analyzed exploit summary This exploit targets CVE-2022-46169 in Cacti v1.2.22, achieving remote command execution via command injection in the `remote_agent.php` endpoint. It uses a base64-encoded reverse shell payload and iterates over host and local data IDs to trigger execution.
Description
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
Exploits (43)
This exploit targets CVE-2022-46169 in Cacti v1.2.22, achieving remote command execution via command injection in the `remote_agent.php` endpoint. It uses a base64-encoded reverse shell payload and iterates over host and local data IDs to trigger execution.
This repository provides a working proof-of-concept for CVE-2022-46169, demonstrating an unauthenticated command injection vulnerability in Cacti's remote_agent.php via the poller_id parameter. It includes details on bypassing authentication using the X-Forwarded-For header and brute-forcing host_id and local_data_ids.
This is a functional exploit for CVE-2022-46169, targeting Cacti 1.2.22. It achieves remote code execution (RCE) by injecting a reverse shell payload via the `remote_agent.php` endpoint, leveraging command injection in the `poller_id` parameter.
This is a functional PoC for CVE-2022-46169, an unauthenticated RCE vulnerability in Cacti <= 1.2.22. It exploits a command injection flaw by chaining an authentication bypass with a malicious payload in the 'poller_id' parameter.
This PoC exploits CVE-2022-46169 in Cacti 1.2.22, leveraging an authentication bypass via `X-Forwarded-For` header manipulation and command injection through the `poller_item` parameter in `remote_agent.php`. It includes brute-forcing host/local data IDs and delivers a reverse shell payload.
This repository contains a Python-based exploit for CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti 1.2.19. The exploit bypasses authentication via header manipulation, bruteforces valid host_id and local_data_ids, and injects commands via the poller_id parameter.
This is a Python-based exploit for CVE-2022-46169, an unauthenticated command injection vulnerability in Cacti prior to version 1.2.22. The exploit sends a crafted HTTP request to the target's remote_agent.php endpoint with a malicious command injected via the poller_id parameter.
This exploit targets CVE-2022-46169 in Cacti 1.2.22, leveraging command injection via the `poller_id` parameter in `remote_agent.php`. It includes brute-forcing to identify valid host and local data IDs, then executes a reverse shell payload.
This is a functional exploit for CVE-2022-46169, targeting Cacti versions 1.2.2x up to 1.2.22. It leverages command injection via the `remote_agent.php` endpoint to execute a reverse shell payload, using base64 encoding and HTTP headers like `X-Forwarded-For` to bypass restrictions.
This is a functional exploit for CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti. It leverages an authentication bypass via HTTP headers and command injection in the `remote_agent.php` endpoint to execute arbitrary commands, including a reverse shell.
This PoC exploits CVE-2022-46169, a command injection vulnerability in Cacti's remote_agent.php. It bypasses authentication via X-Forwarded-For headers and injects a reverse shell payload.
This is a functional exploit for CVE-2022-46169, targeting Cacti's unauthenticated remote command execution vulnerability. It bypasses authentication via X-Forwarded header manipulation, brute-forces valid host_id and local_data_ids, and delivers a reverse shell payload.
This exploit leverages an authentication bypass via HTTP header manipulation (X-Forwarded-For) and command injection in the 'poller_id' parameter to achieve remote code execution (RCE) in Cacti versions before 1.2.3. It attempts multiple reverse shell payloads to establish a connection back to the attacker.
The repository contains functional exploit code for CVE-2022-46169, targeting Cacti 1.2.2. The exploit demonstrates remote code execution (RCE) by leveraging command injection in the vulnerable software.
This Go-based exploit targets CVE-2022-46169, a command injection vulnerability in Cacti's remote_agent.php. It sends a base64-encoded reverse shell payload via the polldata action, leveraging unauthenticated HTTP requests.
This is a functional PoC for CVE-2022-46169, an unauthenticated RCE vulnerability in Cacti <= 1.2.22. It exploits command injection via the 'poller_id' parameter in 'remote_agent.php' to execute a reverse shell.
This repository provides a vulnerable Dockerized Cacti v1.2.22 environment and a Python exploit for CVE-2022-46169, a command injection vulnerability allowing unauthenticated RCE. The exploit leverages a specific data source configuration to execute arbitrary commands.
The repository contains a Python script that checks for the presence of CVE-2022-46169 by sending a crafted HTTP request to the target URL and checking for a specific response pattern. It does not exploit the vulnerability but scans for its conditions.
This repository contains a Python script that checks for the presence of CVE-2022-46169, a command injection vulnerability in Cacti's remote_agent.php. The script sends a request to a specific endpoint and checks for a 'FATAL:' response to indicate potential vulnerability.
This repository contains a Go-based bruteforce tool for CVE-2022-46169, a blind RCE vulnerability in Cacti. It bypasses IP whitelisting via X-Forwarded-For header spoofing and enumerates valid host_id and local_data_ids parameters to exploit the vulnerability.
This repository provides a detailed technical analysis and step-by-step guide for reproducing CVE-2022-46169, an unauthenticated command injection vulnerability in Cacti ≤ 1.2.22. It includes setup instructions, exploitation steps, and verification methods, but lacks actual exploit code.
This is a functional exploit for CVE-2022-46169, targeting Cacti's remote_agent.php. It leverages command injection via the poller_id parameter to achieve remote code execution (RCE) and includes both brute-force and direct execution modes.
This is a functional proof-of-concept exploit for CVE-2022-46169, targeting a command injection vulnerability in Cacti's remote_agent.php. It crafts a reverse shell payload, URL-encodes it, and sends it to a vulnerable endpoint after validating the target's vulnerability.
This PoC exploits CVE-2022-46169, an unauthenticated command injection vulnerability in Cacti v1.2.22. It brute-forces host and local data IDs, then injects a reverse shell payload via the `poller_id` parameter in `remote_agent.php`.
This repository provides a detailed writeup and lab setup for CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti. It explains the authentication bypass via IP spoofing and command injection in the `remote_agent.php` file.
This PoC exploits CVE-2022-46169, a command injection vulnerability in Cacti v1.2.22 via the `remote_agent.php` endpoint. It brute-forces `host_id` and `local_data_id` parameters, then injects commands through the `poller_id` parameter.
This is a working exploit for CVE-2022-46169, an unauthenticated RCE vulnerability in Cacti 1.2.22. It leverages command injection via the `remote_agent.php` endpoint to spawn a reverse shell.
This repository contains a Python-based PoC for CVE-2022-46169, a remote command execution vulnerability in Cacti's remote_agent.php. The exploit leverages command injection via the X-Forwarded-For header to execute arbitrary commands on vulnerable Cacti instances.
This PoC exploits CVE-2022-46169 in Cacti 1.2.22, leveraging an authentication bypass via `X-Forwarded-For` header manipulation and command injection through `proc_open` in the `polldata` action. It includes brute-forcing host/local data IDs and delivers a reverse shell payload.
This PoC exploits CVE-2022-46169, an unauthenticated RCE vulnerability in Cacti <= 1.2.22 via command injection in the 'poller_id' parameter of remote_agent.php. It iterates through host_ids and injects a command via a crafted HTTP request.
This repository contains a functional PoC for CVE-2022-46169, an unauthenticated command injection vulnerability in Cacti versions 1.2.17 to 1.2.22. The exploit leverages a crafted HTTP GET request to execute arbitrary commands via the `poller_id` parameter in `remote_agent.php`.
This is a Python-based exploit for CVE-2022-46169, targeting Cacti versions <= 1.2.22. It brute-forces host and data IDs to craft a reverse shell payload via command injection in the `remote_agent.php` endpoint.
This is a functional exploit for CVE-2022-46169, targeting Cacti versions >=1.2.22. It leverages command injection via the `poller_id` parameter in `remote_agent.php` to achieve remote code execution (RCE) and spawn a reverse shell.
This is a Python-based exploit for CVE-2022-46169, targeting an unauthenticated RCE vulnerability in Cacti 1.2.22. It bypasses authentication via X-Forwarded-For header manipulation and brute-forces valid host_id and local_data_ids[] parameters before injecting a reverse shell command.
This PoC exploits an unauthenticated command injection vulnerability in Cacti (CVE-2022-46169) to achieve remote code execution. It brute-forces host and local data IDs to inject a reverse shell payload via the `poller_id` parameter.
This is a functional exploit for CVE-2022-46169, an unauthenticated command injection vulnerability in Cacti 1.2.22. It leverages improper input validation in the 'poller_id' parameter to achieve remote code execution via a reverse shell.
This repository contains a Go-based proof-of-concept exploit for CVE-2022-46169, targeting Cacti versions <1.2.23. The exploit leverages an authentication bypass and command injection vulnerability in the `remote_agent.php` endpoint to achieve unauthenticated remote code execution.
This repository contains a functional exploit for CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti. The exploit leverages an authentication bypass via HTTP headers and command injection in the `remote_agent.php` endpoint.
This repository contains a Python script that checks for the presence of CVE-2022-46169, an authentication bypass vulnerability in Cacti. The script attempts to bypass authentication via X-Forwarded-For header manipulation and brute-forces host and local data IDs to identify vulnerable endpoints.
This PoC exploits CVE-2022-46169, a command injection vulnerability in Cacti's `remote_agent.php`. It brute-forces valid `local_data_ids` and `host_id` parameters, then injects commands via the `poller_id` parameter, writing output to a randomly named file for retrieval.
This repository contains a functional Python script that exploits CVE-2022-46169, a command injection vulnerability in Cacti's `remote_agent.php`. The script automates the exploitation process by setting up an HTTP server to receive command output and sending crafted payloads to the target.
This repository contains a functional Python exploit for CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti 1.2.22. The exploit bypasses authentication via the X-Forwarded-For header and injects commands into the poller_id parameter.
This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti (CVE-2022-46169) by sending a crafted GET request to /remote_agent.php with malicious parameters, leading to remote code execution as the www-data user.
Nuclei Templates (1)
title:"Login to Cacti" || http.title:"login to cacti" || http.title:"cacti" || http.favicon.hash:"-1797138069"
icon_hash="-1797138069" || title="cacti" || title="login to cacti"
References (5)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H