Brief analysis of a SQL injection in Cacti 0.8.8b

Back in September 2013 I wanted to practice some code auditing and picked the latest version of Cacti (v0.8.8b at the time). I spent a few hours looking into the code and also assessing a running instance of Cacti and this exercise resulted in a few vulnerabilities. I was motivated to finally put together this write-up since several SQL injections were fixed in Cacti in July 2015. As of this writing (September 2015), it seems like this vulnerability is still present in the latest version of Cacti.

For those who don’t know, Cacti is a quite popular network monitoring tool pretty similar to Zabbix and Nagios. A quick Google search for intitle:”Login to Cacti” comes up with more than 4,000 results. Finding high severity bugs in Cacti means that chances are very high an attacker will actually break into a box located in a privileged position in the network, as it needs to be positioned in a way to monitor traffic and events.

Cacti is a PHP application and I have to say, it’s miserable from a security point of view.
Continue reading “Brief analysis of a SQL injection in Cacti 0.8.8b”

Brief analysis of a SQL injection in Cacti 0.8.8b

Positive HackDays 2012 $natch write-up

Sometime ago while browsing old backups I stumbled upon a raw write-up I did for $natch, a vulnerable Internet banking application created for a CTF-style competition organized by the folks of Positive Technologies. They held this contest at PHDays 2012 in Moscow and at the 29th Chaos Communication Congress in Hamburg.

I participated in the contest at the 29C3 and scored second place (in fact I found more bugs than the winner and certainly would have won if my laptop’s network card hadn’t bailed out – I had to borrow one from the organizers so I could play).

This post will discuss in detail every vulnerability found within the application, along with the relevant vulnerable source code, and explain all steps necessary to successfully exploit them.

Continue reading “Positive HackDays 2012 $natch write-up”

Positive HackDays 2012 $natch write-up