Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to reproduce SQL injection in Zabbix 3.0.x via crawling #760

Open
brandonprry opened this issue Aug 13, 2016 · 4 comments
Open

Unable to reproduce SQL injection in Zabbix 3.0.x via crawling #760

brandonprry opened this issue Aug 13, 2016 · 4 comments
Labels
Feature request
Milestone
1.6

Comments

@brandonprry
Copy link

Hi,

Watching my email this afternoon, I noticed a SQL injection vulnerability for Zabbix was released.

http://seclists.org/fulldisclosure/2016/Aug/60

I decided to see if I could reproduce it to write a Metasploit module, but also decided to see if I could reproduce the issue with Arachni with sane defaults. The Zabbix front end is a basic PHP front end with some fancy javascript and is easily crawlable for the most part.

However, some of the filter forms in the UI are JS-based making AJAX call. I was hoping that the Phantom engine would make easy work of them, but I am also not 100% sure I am using arachni correctly to enable the use of Phantom to begin with.

Arachni detects the SQL injection if I pass the vulnerable URL directly with an up to date CSRF token and --http-cookie-string. However, letting Arachni crawl it does not. I can easily reproduce the path to the vulnerable HTTP request in the UI.

Not sure what information is useful. It may be wishful thinking to detect it. :)

I am testing against zabbix-frontend-php 3.0.3. The command I am running is: ./arachni --input-value .*:a --http-cookie-string "PHPSESSID=9rb0d293rcu2narujm9g56f0m4; tab=0; zbx_sessionid=ed0ad759ceed8ba8e7f5258e31e52777" --checks sql* --scope-exclude-pattern reconnect http://172.18.20.39/zabbix/index.php. The --input-value is so that I know that arachni is testing with a simple value that should bring up general search terms.
@brandonprry
Copy link
Author

Here is the filter button HTML. Should I expect that the onclick would run?

<button type="submit" id="filter_set" name="filter_set" value="Filter" onclick="javascript: chkbxRange.clearSelectedOnFilterChange();">Filter</button>

@Zapotek
Copy link
Member

Zapotek commented Aug 13, 2016
edited

My guess is that the button is clicked and the input vector is extracted, but the anti-CSRF token isn't being refreshed.
Inputs extracted from AJAX requests don't have an associated element in order to refresh nonces.
I'll run some tests and if that's indeed what's going on I'll try to find a way around it.

@brandonprry
Copy link
Author

brandonprry commented Aug 13, 2016
edited

I am not super concerned about it. I thought it would be an interesting test that you would like to be aware of. The Zabbix UI is pretty typical of the average modern web app right now I feel (perhaps slightly more advanced), so it was good fodder.

I should clarify that when I say 'sane defaults', I simply don't want to enable any options that presupposes the vulnerability in question is there, in case that didn't make sense.

@Zapotek Zapotek added this to the 1.6 milestone Aug 14, 2016
@Zapotek
Copy link
Member

Zapotek commented Aug 14, 2016
edited

I understand, still, it'd be a nice feature to have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature request
Projects
None yet
Milestone
1.6
Development

No branches or pull requests
2 participants
@Zapotek @brandonprry