Summary: 总结:
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to “Audit Log”. Due to “clientip” field is not sanitized, it is possible to injection SQL into “clientip” and exploit time based blind SQL injection.
Zabbix server可以对配置的脚本执行命令。执行命令后,审核条目将添加到“审核日志”中。由于“clientip”字段未经过清理,因此可以将 SQL 注入到“clientip”中并利用基于时间的盲 SQL 注入。
Steps To Reproduce: 重现步骤:
I will provide 3 variations of steps to reproduce, 1st one is real exploitation running attached exploit, it will extract admin session_id and session_key to sign zbx_session, this data together can be used to generate correct admin zbx_session. 2nd is easier version which will simply make PoC of time based SQL injection, you will see 3 requests and how backend sleeps for 1,5, and 10 seconds. 3rd is another simple PoC which you can verify via zabbix_server.log
我将提供 3 个步骤的重现变体,第一个是运行附加漏洞利用的真实漏洞,它将提取管理员session_id并session_key zbx_session签名,这些数据一起可用于生成正确的管理zbx_session。第二个是更简单的版本,它将简单地进行基于时间的 SQL 注入的 PoC,您将看到 3 个请求以及后端如何休眠 1、5 和 10 秒。第三个是另一个简单的 PoC,您可以通过 zabbix_server.log 进行验证
Steps To Exploit 利用步骤
1. Login to low privileged user. User should have access to at least 1 host to be able to run command against it, like here on screenshot
1. 登录到低权限用户。用户应有权访问至少 1 台主机才能对其运行命令,如屏幕截图所示
Image F3064173: image.png 87.24 KiB
图像F3064173: image.png 87.24 KiB
2. Extract logged in user “sessionid” from zbx_session cookie(decode it as base64 and grab sessionid from json)
2. 从 cookie 中提取登录的用户 “sessionid”zbx_session(解码为 base64 并从 json 中获取 sessionid)
3. Extract any hostid available to this user (open Monitoring->Hosts, host id will be in response)
3. 提取此用户可用的任何主机 ID(打开 Monitoring->Hosts,主机 ID 将响应)
4. Execute attached exploit zabbix_server_time_based_blind_sqli.py, use –help if needed. In standard case “ip”, “sessionid” and “hostid” should be enough:
4. 执行附加的漏洞利用zabbix_server_time_based_blind_sqli.py ,如果需要,请使用 –help。在标准情况下,“ip”、“sessionid”和“hostid”就足够了:
python3 zabbix_server_time_based_blind_sqli.py --ip 192.168.223.128 --sid a6094b4f052fd133adc335382f0297f6 --hostid 10607 | grep "(+)"
Exploit time execution can take ~10 mins, but you will see progress update every few secs. Exploit takes that much time because of time based SQLi, it require to sleep() for a while on each guess(see exploit code). Pipe to grep “” is just to filter output, otherwise pwntools prints too many debug data. As a result you will get admin session_id and session_key used to sign zbx_session cookie, so you can generate admin token now.
漏洞利用时间的执行可能需要 ~10 分钟,但每隔几秒钟就会看到进度更新。由于基于时间的 SQLi,漏洞利用需要花费大量时间,每次猜测都需要休眠()一段时间(请参阅漏洞利用代码)。管道到 grep “ ” 只是为了过滤输出,否则 pwntools 打印过多的调试数据。因此,您将获得管理员session_id,session_key用于签署zbx_session cookie,因此您现在可以生成管理员令牌。
Steps to PoC if Time Based Blind SQLi
PoC 步骤(如果基于时间的盲 SQLi)
1. Perform steps 1-3 from “Steps To Exploit” (extract low priv user sessionid and any available hostid)
1. 执行“利用步骤”中的步骤 1-3(提取低权限用户会话 ID 和任何可用的主机 ID)
2. Execute Exploit (replace ip, sessionid and hostid with yours from previous step)
2. 执行漏洞利用(将 ip、sessionid 和 hostid 替换为上一步中的 ip、sessionid 和 hostid)
python3 zabbix_server_time_based_blind_sqli.py LOG_LEVEL=error --ip 192.168.223.128 --sid a6094b4f052fd133adc335382f0297f6 --hostid 10607 --poc
You will see 3 requests and backend sleeps for 1,5 and 10 secs before response. You will see request/response packets to understand that sleep happens on backend.
您将看到 3 个请求,后端在响应前休眠 1、5 和 10 秒。您将看到请求/响应数据包,以了解后端发生睡眠。
Steps to PoC to Generate Error in Zabbix Logs
在Zabbix日志中生成错误的PoC步骤
1. Perform steps 1-3 from “Steps To Exploit” (extract low priv user sessionid and any available hostid)
1. 执行“利用步骤”中的步骤 1-3(提取低权限用户会话 ID 和任何可用的主机 ID)
2. Execute Exploit (replace ip, sessionid and hostid with yours from previous step)
2. 执行漏洞利用(将 ip、sessionid 和 hostid 替换为上一步中的 ip、sessionid 和 hostid)
python3 zabbix_server_time_based_blind_sqli.py LOG_LEVEL=error --ip 192.168.223.128 --sid a6094b4f052fd133adc335382f0297f6 --hostid 10607 --poc2
3. Check zabbix_server.log, you will see that query is failed but injected ‘ + version() + ‘ and its result is in place
3. 检查zabbix_server.log,你会看到查询失败,但注入了 ‘ + version() + ‘ 并且其结果到位
Technical Details: 技术细节:
SQL injection is in audit.c, function zbx_auditlog_global_script:
SQL注入在audit.c中,函数zbx_auditlog_global_script:
...
2225: if (ZBX_DB_OK > zbx_db_execute("insert into auditlog (auditid,userid,username,clock,action,ip,resourceid,"
3226: "resourcename,resourcetype,recordsetid,details) values ('%s'," ZBX_FS_UI64 ",'%s',%d,'%d','%s',"
4227: ZBX_FS_UI64 ",'%s',%d,'%s','%s')", auditid_cuid, userid, username, (int)time(NULL),
5228: ZBX_AUDIT_ACTION_EXECUTE, clientip, hostid, hostname, AUDIT_RESOURCE_SCRIPT, auditid_cuid,
6229: details_esc))
7230: {
8231: ret = FAIL;
9232: }
clientip is NOT sanitized and controlled by attacker, as a result we can put SQL query here. Only time based SQLi will work(see exploit code).
clientip 未被攻击者清理和控制,因此我们可以将 SQL 查询放在这里。只有基于时间的 SQLi 才能工作(请参阅漏洞利用代码)。
Exploit Output 漏洞利用输出
Impact 冲击
Allows to dump any values from database. As an example of exploit above allows privilege escalation from user to admin. In some cases SQL injection leads to RCE.
允许从数据库转储任何值。作为上述漏洞利用的示例,允许权限从用户升级到管理员。在某些情况下,SQL 注入会导致 RCE。
