Cacti 0.8.7e SQL Injection: A Deep Dive for Offensive Operations

Cacti 0.8.7e SQL Injection: A Deep Dive for Offensive Operations
What this paper is
This paper details a critical SQL injection vulnerability found in Cacti version 0.8.7e. It explains how an attacker can exploit this flaw to inject malicious SQL code into the database by manipulating a specific parameter. The exploit allows for unauthorized data access and modification.
Simple technical breakdown
Cacti is a web-based network monitoring tool. The vulnerability lies in the templates_export.php script. When a user requests to export certain items, the script takes an export_item_id as input. However, it doesn't properly check or clean this input before using it in a database query.
An attacker can send a specially crafted export_item_id that includes extra SQL commands. These commands are then executed by the database, allowing the attacker to bypass normal security checks and potentially read sensitive data or even alter the database's contents.
Complete code and payload walkthrough
The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it demonstrates the exploit through a Proof of Concept (PoC) HTTP POST request. The "payload" is the crafted data sent within this request.
Let's break down the PoC request:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: 192.168.1.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php
Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12Explanation of the PoC Request Components:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1: This indicates the HTTP method (POST) and the target script (templates_export.php) within the Cacti application.Host: 192.168.1.107: The IP address of the target Cacti server.Accept,Accept-Language,Accept-Charset: Standard HTTP headers indicating the client's preferences for content types and character sets. These are not directly part of the exploit but are typical for web requests.Proxy-Connection: keep-alive: A header that suggests the client wants to keep the connection open for subsequent requests.Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php: This header indicates the page from which the request originated, often used by web applications for security checks or tracking.Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e: This is a crucial part. It signifies that the attacker has already authenticated or is using a valid session cookie for the Cacti application. This implies a prerequisite of having some level of access or a stolen session.Content-Type: application/x-www-form-urlencoded: Specifies that the data in the request body is encoded in a standard form submission format.Content-Length: 130: The size of the request body in bytes.
Request Body (The "Payload"):
export_item_id=18 and 1=1: This is the core of the exploit.18: This is the original, intended value for theexport_item_id.and 1=1: This is the injected SQL code. When appended to the original query, it effectively becomes something likeSELECT ... WHERE id = 18 AND 1=1 .... Since1=1is always true, this part of the condition doesn't change the outcome of the query if the original query was expecting a single ID. However, it demonstrates that arbitrary SQL can be appended. A more malicious payload would use this to alter the query's logic, e.g.,18 OR 1=1 --to bypass ID checks or18 UNION SELECT ...to extract data.
include_deps=on: A parameter likely related to exporting dependencies.output_format=3: Specifies the desired output format.export_type=graph_template: Indicates the type of item to be exported.save_component_export=1: A flag to save the export configuration.action=save: The action to perform, likely saving the export.x=24&y=12: Coordinates, often from a clicked image map or button, typically not exploitable on their own but part of the form submission.
Mapping of Code Fragment/Block -> Practical Purpose:
export_item_id=18 and 1=1: Practical Purpose: Demonstrates SQL injection by appending a condition (AND 1=1) that is always true. This confirms that the input is not sanitized and can be manipulated to alter the intended SQL query. A more advanced attacker would use this to injectUNION SELECTstatements to extract data orORconditions to bypass authentication/authorization.Cookie: Cacti=...: Practical Purpose: Indicates that authenticated access or a valid session is a prerequisite for this exploit. The attacker needs to be logged into Cacti or possess a valid session token.
Shellcode/Payload Segments:
There are no explicit shellcode bytes or multi-stage payloads presented in this paper. The "payload" is the crafted HTTP POST request body designed to trigger the SQL injection vulnerability within the templates_export.php script. The impact of the injection depends on the specific SQL code appended to export_item_id.
Practical details for offensive operations teams
- Required Access Level: Authenticated user with the ability to access the "Graph Templates" section and trigger an export. This means an attacker needs a valid Cacti username and password, or a stolen session cookie.
- Lab Preconditions:
- A running instance of Cacti version 0.8.7e.
- Network access to the Cacti web interface.
- A valid user account for Cacti.
- Knowledge of the
templates_export.phpscript's functionality and theexport_item_idparameter.
- Tooling Assumptions:
- Web Browser: For initial access and authentication.
- HTTP Interception Proxy (e.g., Burp Suite, OWASP ZAP): Essential for capturing the original request, modifying the
export_item_idparameter, and replaying the crafted request. - SQLMap (or similar automated SQLi tools): While the paper provides a manual PoC, tools like SQLMap can automate the discovery of vulnerable parameters, the type of SQL injection (error-based, UNION-based, blind), and data exfiltration.
- Execution Pitfalls:
- Incorrect
export_item_id: If the injected SQL syntax is incorrect, the query might fail, or Cacti might return an error without revealing useful information. - WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect common SQL injection patterns. The attacker might need to employ obfuscation techniques or use less common SQL syntax.
- Authentication/Authorization Bypass: The PoC uses
AND 1=1, which is a basic test. To achieve significant impact (data exfiltration, modification), more complex SQL, likeUNION SELECT, would be needed, which might be harder to craft manually and more likely to be detected. - Database Specific Syntax: The exact syntax for SQL injection can vary slightly between database systems (MySQL, PostgreSQL, SQL Server, etc.). The attacker needs to know or infer the target database. Cacti typically uses MySQL.
- Session Expiration: If the attacker is using a stolen cookie, it might expire, requiring re-authentication or a new session.
- Incorrect
- Tradecraft Considerations:
- Reconnaissance: Identify the Cacti version and confirm the presence of the
templates_export.phpscript. - Authentication: Obtain valid credentials or a session cookie. This is a critical initial step.
- Parameter Discovery: Use a proxy to identify parameters passed to
templates_export.php. - Payload Crafting: Start with simple payloads like
18 and 1=1or18 OR 1=1 --to confirm vulnerability. Then, move toUNION SELECTstatements to extract data (e.g.,18 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100 FROM information_schema.tables --). The number of columns in theUNION SELECTmust match the original query. - Data Exfiltration: Extract user credentials, configuration details, or sensitive monitoring data.
- Post-Exploitation: Depending on the database privileges, an attacker might be able to write files to the server (e.g., web shells) or execute commands.
- Reconnaissance: Identify the Cacti version and confirm the presence of the
- Expected Telemetry:
- Web Server Logs: Unusual POST requests to
templates_export.phpwith malformed or excessively longexport_item_idparameters. Look for SQL keywords likeUNION,SELECT,OR,AND,--,#,/*. - Database Logs: Suspicious queries executed against the Cacti database, especially those involving
information_schemaor attempting to retrieve data from unintended tables. - Application Logs: Cacti might log errors if the injected SQL causes query failures.
- Network Traffic: Anomalous traffic patterns if data exfiltration is occurring.
- Web Server Logs: Unusual POST requests to
Where this was used and when
- Context: This vulnerability was discovered and published in 2010. It targets Cacti version 0.8.7e.
- Usage: While specific instances of this exploit being used in the wild are not detailed in the paper, vulnerabilities of this nature are commonly exploited by:
- Malicious actors: To gain unauthorized access to network monitoring data, which can be used for further reconnaissance or targeted attacks.
- Red Teams/Penetration Testers: To demonstrate the impact of SQL injection on an organization's infrastructure during authorized security assessments.
- Approximate Years: The vulnerability was published in 2010. Exploitation would have occurred around this time and potentially for a period afterward until the affected version was patched or phased out.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical lesson. All user-supplied input, especially that which is used in database queries, must be strictly validated and sanitized. This includes:
- Parameterized Queries/Prepared Statements: The most robust defense. These separate SQL code from data, preventing injected code from being executed.
- Whitelisting: Only allow known-good characters or patterns for input.
- Blacklisting (less effective): Avoid relying solely on blacklisting known malicious characters, as attackers can often find ways around them.
- Principle of Least Privilege: Ensure the web application's database user has only the necessary permissions. This limits the damage an attacker can do even if they achieve SQL injection.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common SQL injection patterns. However, WAFs are not a silver bullet and should be part of a layered defense.
- Regular Patching and Updates: Keep all web applications and their dependencies (like Cacti) updated to the latest secure versions. Vulnerabilities are often fixed in newer releases.
- Security Audits and Code Reviews: Regularly audit web application code for common vulnerabilities like SQL injection.
- Logging and Monitoring: Implement comprehensive logging for web server and database activity. Monitor these logs for suspicious patterns indicative of SQL injection attempts.
- Error Handling: Configure web applications to display generic error messages to users, rather than detailed database error messages, which can often reveal information useful to attackers.
ASCII visual (if applicable)
This exploit is a direct manipulation of data flow within a single script. An ASCII diagram might overcomplicate it. The core concept is that user input bypasses intended processing and directly influences database queries.
+-----------------+ +-------------------------+ +-------------------+
| Attacker (User) |----->| Cacti Web Application |----->| Database Server |
+-----------------+ | (templates_export.php) | +-------------------+
| |
| Input: export_item_id |
| (e.g., "18 and 1=1") |
| |
| *Vulnerable Sanitization*|
| |
| SQL Query Construction |
| (e.g., SELECT ... WHERE |
| id = 18 and 1=1) |
+-------------------------+Explanation of Diagram:
- The Attacker sends a request to the Cacti Web Application.
- The
templates_export.phpscript receives user input, specifically theexport_item_id. - Crucially, the script has Vulnerable Sanitization (or lack thereof).
- This leads to the construction of a SQL query where the attacker's injected SQL is directly incorporated.
- The malformed query is then sent to the Database Server.
Source references
- Paper ID: 12338
- Paper Title: Cacti 0.8.7e - SQL Injection
- Author: Nahuel Grisolia
- Published: 2010-04-22
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/12338
- Raw Exploit URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12338.pdf (Note: This is a PDF, not a direct code exploit).
Original Exploit-DB Content (Verbatim)
CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
A Vulnerability has been discovered in Cacti, which can be exploited by any
user to conduct SQL Injection attacks.
Input passed via the “export_item_id” parameter to “templates_export.php”
script is not properly sanitized before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
The following is a Proof of Concept POST request:
POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: 192.168.1.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php
Cookie: Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
export_item_id=18 and 1=1&include_deps=on&output_format=3&export_type=graph_template&save_component_export=1&action=save&x=24&y=12
===========================================================================
Download:
===========================================================================
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12338.pdf (Bonsai-SQL_Injection_in_Cacti.pdf)
<Bonsai Information Security Advisories>
http://www.bonsai-sec.com/en/research/vulnerability.php