Summary
A SQL injection vulnerability in automation_get_new_graphs_sql
function of api_automation.php
allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution.
Details
In
|
$sql_having = build_graph_object_sql_having($rule, get_request_var('filter')); |
, The
get_request_var('filter')
is being concatenated into the SQL statement without any sanitization. In
|
'filter' => FILTER_DEFAULT, |
, The filter of
'filter'
is
FILTER_DEFAULT
, which means there is no filter for it.
PoC
Create a rule in automation_graph_rules.php
like this:
Visit http://localhost/cacti/automation_graph_rules.php?action=edit&id=2&page=1&filter=%25%22);select%20sleep(10)--+)
Summary
A SQL injection vulnerability in
automation_get_new_graphs_sql
function ofapi_automation.php
allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution.Details
In
cacti/lib/api_automation.php
Line 856 in 5017129
get_request_var('filter')
is being concatenated into the SQL statement without any sanitization. Incacti/lib/api_automation.php
Line 717 in 5017129
'filter'
isFILTER_DEFAULT
, which means there is no filter for it.PoC
Create a rule in
automation_graph_rules.php
like this:Visit http://localhost/cacti/automation_graph_rules.php?action=edit&id=2&page=1&filter=%25%22);select%20sleep(10)--+)