Zabbix can exploit the high-risk SQL injection vulnerability to obtain SYSTEM privileges.

Zabbix can exploit the high-risk SQL injection vulnerability to obtain SYSTEM privileges.

Vulnerability Overview

Zabbix is an open-source enterprise-level performance monitoring solution. Recently, the profileIdx2 parameter of zabbix's jsrpc has the insert SQL injection vulnerability. Attackers can log on to the zabbix management system without authorization, you can also use scripts and other functions to easily obtain the operating system permissions of the zabbix server.

Official Website

Http://www.zabbix.com

Impact degree

Attack cost: low

Hazard level: high

Login or not: not required

Impact scope: 2.2.x, 3.0.0-3.0.3. (Other versions are not tested)

Vulnerability Testing

Add the following url to your zabbix address:

jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

The output result is as follows:

Supplement

The above is only a vulnerability verification test method.

Attackers can further construct statements to inject incorrect SQL statements without obtaining or cracking the encrypted administrator password.

Experienced attackers can directly obtain the admin sessionid to construct the sid Based on the structure algorithm, and replace the cookie to log on as an administrator.

Solution

Upgrade to the latest version as soon as possible. It is said that version 3.0.4 has been fixed.

Security Prompt

The monitoring system monitors the core assets of each enterprise. Once it is under hacker intrusion control, it is equivalent to helping hackers further penetrate into the enterprise.

Pay attention to this vulnerability and fix it as soon as possible.

From: http://www.freebuf.com/vuls/112197.html

Address: http://www.linuxprobe.com/zabbix-sql-bug.html