Summary
A SQL injection vulnerability in automation_get_new_graphs_sql function of api_automation.php allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution.
Details
In
|
$sql_having = build_graph_object_sql_having($rule, get_request_var('filter')); |
, The
get_request_var('filter') is being concatenated into the SQL statement without any sanitization. In
|
'filter' => FILTER_DEFAULT, |
, The filter of
'filter' is
FILTER_DEFAULT, which means there is no filter for it.
PoC
Create a rule in automation_graph_rules.php like this:
Visit http://localhost/cacti/automation_graph_rules.php?action=edit&id=2&page=1&filter=%25%22);select%20sleep(10)--+)
Summary
A SQL injection vulnerability in
automation_get_new_graphs_sqlfunction ofapi_automation.phpallows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution.Details
In
cacti/lib/api_automation.php
Line 856 in 5017129
get_request_var('filter')is being concatenated into the SQL statement without any sanitization. Incacti/lib/api_automation.php
Line 717 in 5017129
'filter'isFILTER_DEFAULT, which means there is no filter for it.PoC
Create a rule in
automation_graph_rules.phplike this:Visit http://localhost/cacti/automation_graph_rules.php?action=edit&id=2&page=1&filter=%25%22);select%20sleep(10)--+)