CVE-2024-25641 PoC — Cacti RCE vulnerability when importing packages

Source

https://github.com/XiaomingX/cve-2024-25641-poc

Associated Vulnerability

Title:Cacti RCE vulnerability when importing packages (CVE-2024-25641)
Description:Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Description

PoC for CVE-2024-25641 Authenticated RCE on Cacti v1.2.26

Readme

# Cacti CVE-2024-25641 认证包上传远程代码执行漏洞（RCE）概念验证 (PoC)

此脚本用于展示如何利用Cacti中的CVE-2024-25641漏洞进行攻击，Cacti是一款基于Web的监控工具。该脚本会自动进行身份验证、上传恶意包并触发一个反向Shell。

## 环境需求

- Python 3.x
- `requests` 库
- `argparse` 库
- `re` 库

可以使用 `pip3` 来安装所需的Python库：

```bash
pip3 install requests
pip3 install argparse
pip3 install re
```

## 使用方法

确保将 **test.xml.gz** 文件和 **exploit.py** 放在同一个目录下，然后执行以下命令：

```bash
python3 exploit.py --url <目标网址> -u <用户名> -p <密码> -i <本地IP地址> -l <端口号> [--proxy]
```

## 启动 nc 监听器

```bash
nc -nvlp <端口号>
```

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!