CVE-2024-29895 PoC — Cacti command injection in cmd_realtime.php

Source

https://github.com/secunnix/CVE-2024-29895

Associated Vulnerability

Title:Cacti command injection in cmd_realtime.php (CVE-2024-29895)
Description:Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Description

Cacti CVE-2024-29895 POC

Readme

# CVE-2024-29895
Cacti CVE-2024-29895 POC
A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when register_argc_argv option of PHP is On.

https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m

Usage: app -m http://site.com/ -c whoami

Or: app -w url_list.txt -c whoami

Or: app -r 192.168.1.0/24 -c whoami

File Snapshot


 [4.0K]  /data/pocs/17ba1a8e254f4dd9f66b85bc6911cd1a4b39e2bf
├── [ 160]  Cargo.toml
├── [ 382]  README.md
└── [4.0K]  src
    └── [5.7K]  main.rs

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!