You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I decided to see if I could reproduce it to write a Metasploit module, but also decided to see if I could reproduce the issue with Arachni with sane defaults. The Zabbix front end is a basic PHP front end with some fancy javascript and is easily crawlable for the most part.
However, some of the filter forms in the UI are JS-based making AJAX call. I was hoping that the Phantom engine would make easy work of them, but I am also not 100% sure I am using arachni correctly to enable the use of Phantom to begin with.
Arachni detects the SQL injection if I pass the vulnerable URL directly with an up to date CSRF token and --http-cookie-string. However, letting Arachni crawl it does not. I can easily reproduce the path to the vulnerable HTTP request in the UI.
Not sure what information is useful. It may be wishful thinking to detect it. :)
I am testing against zabbix-frontend-php 3.0.3. The command I am running is: ./arachni --input-value .*:a --http-cookie-string "PHPSESSID=9rb0d293rcu2narujm9g56f0m4; tab=0; zbx_sessionid=ed0ad759ceed8ba8e7f5258e31e52777" --checks sql* --scope-exclude-pattern reconnect http://172.18.20.39/zabbix/index.php. The --input-value is so that I know that arachni is testing with a simple value that should bring up general search terms.
The text was updated successfully, but these errors were encountered:
My guess is that the button is clicked and the input vector is extracted, but the anti-CSRF token isn't being refreshed.
Inputs extracted from AJAX requests don't have an associated element in order to refresh nonces.
I'll run some tests and if that's indeed what's going on I'll try to find a way around it.
I am not super concerned about it. I thought it would be an interesting test that you would like to be aware of. The Zabbix UI is pretty typical of the average modern web app right now I feel (perhaps slightly more advanced), so it was good fodder.
I should clarify that when I say 'sane defaults', I simply don't want to enable any options that presupposes the vulnerability in question is there, in case that didn't make sense.
Hi,
Watching my email this afternoon, I noticed a SQL injection vulnerability for Zabbix was released.
http://seclists.org/fulldisclosure/2016/Aug/60
I decided to see if I could reproduce it to write a Metasploit module, but also decided to see if I could reproduce the issue with Arachni with sane defaults. The Zabbix front end is a basic PHP front end with some fancy javascript and is easily crawlable for the most part.
However, some of the filter forms in the UI are JS-based making AJAX call. I was hoping that the Phantom engine would make easy work of them, but I am also not 100% sure I am using arachni correctly to enable the use of Phantom to begin with.
Arachni detects the SQL injection if I pass the vulnerable URL directly with an up to date CSRF token and --http-cookie-string. However, letting Arachni crawl it does not. I can easily reproduce the path to the vulnerable HTTP request in the UI.
Not sure what information is useful. It may be wishful thinking to detect it. :)
I am testing against zabbix-frontend-php 3.0.3. The command I am running is:
./arachni --input-value .*:a --http-cookie-string "PHPSESSID=9rb0d293rcu2narujm9g56f0m4; tab=0; zbx_sessionid=ed0ad759ceed8ba8e7f5258e31e52777" --checks sql* --scope-exclude-pattern reconnect http://172.18.20.39/zabbix/index.php
. The --input-value is so that I know that arachni is testing with a simple value that should bring up general search terms.The text was updated successfully, but these errors were encountered: