Summary

There is a file inclusion issue in the lib/plugin.php file. Combined with SQL injection vulnerabilities, RCE can be implemented.

Details

There is a file inclusion issue with the api_plugin_hook() function in the lib/plugin.php file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion.

PoC

Use sql injection vulnerability described in url below.
https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r

Insert dirty data into database and trigger SQL injection vulnerability with payload below:
plugin_hooks: 1;INSERT INTO plugin_hooks VALUES (3,'.','login_after','../../myVul/FileIncludeofgraph_image/test.php','.','1');#

plugin_config: 1;INSERT INTO plugin_config VALUES (1,'.','FI',1,1,1,1);#

prepare poc file to be included like this.

Finally:

To realize RCE, try to output payload to log file and include it.
The detailed methods are described in the following article :
https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp

Researcher: ISHGARD-2, USTC