前置
[!NOTE]
昨天打了一个HTBUnrested的过期靶机,应该是去年11月份左右然后遇到一个之前被我"调"过的洞,byd当时作出错误的判断了,还是大意了!!!
源于国内一些唐氏公众号的安全复现文章,下次再也不相信了!真的会搞研究的根本没几个很多人就是根本不知道这个洞的意义是啥,只会一味机翻跟入机操作(包括但不限于用自己创建的admin用户明文密码登录,然后用所谓的sql注入注出自己admin用户的密文).我请问呢,自己注入自己吗?!
这个洞的意义是通过一个低权限的用户(如:不能访问某些数据,查询语句正确但返回为空的时候可证明)然后通过结合
影响版本
环境搭建
以当时的最新的zabbix 7.0来复现
docker-compose.yml
fold1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
| version: '3'
services:
mysql:
image: mysql:8.0
container_name: mysql
volumes:
- ./mysql/data:/var/lib/mysql
- ./mysql/conf:/etc/mysql/conf.d
- ./mysql/logs:/var/log/mysql
- /etc/localtime:/etc/localtime
restart: always
privileged: true
environment:
- MYSQL_ROOT_PASSWORD=myrootpass
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- TZ=Asia/Shanghai
- LANG=en_US.UTF-8
expose:
- "3306"
networks:
zabbix-net:
command: --character-set-server=utf8 --collation-server=utf8_bin
zabbix-gateway:
image: zabbix/zabbix-java-gateway:6.0.0-ubuntu
container_name: zabbix-gateway
volumes:
- /etc/localtime:/etc/localtime
restart: always
privileged: true
ports:
- "10052:10052"
networks:
zabbix-net:
zabbix-snmptraps:
image: zabbix/zabbix-snmptraps:6.0.0-ubuntu
container_name: zabbix-snmptraps
volumes:
- /etc/localtime:/etc/localtime
- ./snmptraps:/var/lib/zabbix/snmptraps
- ./mibs:/var/lib/zabbix/mibs
restart: always
privileged: true
ports:
- "1162:1162/udp"
networks:
zabbix-net:
zabbix-server:
image: zabbix/zabbix-server-mysql:6.0.0-ubuntu
container_name: zabbix-server
volumes:
- /etc/localtime:/etc/localtime
- ./snmptraps:/var/lib/zabbix/snmptraps
- ./mibs:/var/lib/zabbix/mibs
- ./alertscripts:/usr/lib/zabbix/alertscripts
- ./externalscripts:/usr/lib/zabbix/externalscripts
restart: always
privileged: true
environment:
- ZBX_LISTENPORT=10051
- DB_SERVER_HOST=mysql
- DB_SERVER_PORT=3306
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- MYSQL_ROOT_PASSWORD=myrootpass
- ZBX_CACHESIZE=1G
- ZBX_HISTORYCACHESIZE=512M
- ZBX_HISTORYINDEXCACHESIZE=16M
- ZBX_TRENDCACHESIZE=256M
- ZBX_VALUECACHESIZE=256M
- ZBX_STARTPINGERS=64
- ZBX_IPMIPOLLERS=1
- ZBX_ENABLE_SNMP_TRAPS=true
- ZBX_STARTTRAPPERS=1
- ZBX_JAVAGATEWAY_ENABLE=true
- ZBX_JAVAGATEWAY=zabbix-gateway
- ZBX_STARTJAVAPOLLERS=1
ports:
- "10051:10051"
networks:
zabbix-net:
links:
- mysql
- zabbix-gateway
zabbix-web:
image: zabbix/zabbix-web-nginx-mysql:6.0.0-ubuntu
container_name: zabbix-web
volumes:
- ./font/simfang.ttf:/usr/share/zabbix/assets/fonts/DejaVuSans.ttf
- /etc/localtime:/etc/localtime
restart: always
privileged: true
environment:
- ZBX_SERVER_NAME=Zabbix 6.0.0
- ZBX_SERVER_HOST=zabbix-server
- ZBX_SERVER_PORT=10051
- DB_SERVER_HOST=mysql
- DB_SERVER_PORT=3306
- MYSQL_DATABASE=zabbix
- MYSQL_USER=zabbix
- MYSQL_PASSWORD=mypass
- MYSQL_ROOT_PASSWORD=myrootpass
- PHP_TZ=Asia/Shanghai
ports:
- "80:8080"
networks:
zabbix-net:
links:
- mysql
- zabbix-server
networks:
zabbix-net:
driver: bridge
ipam:
config:
- subnet: 10.10.10.0/24
gateway: 10.10.10.1
|
奇安信攻防社区-CVE-2024-42327:Zabbix SQL注入漏洞分析
Zabbix Cloud Images and Appliances
poc
结合:CVE-2024-36467
(考研去了,明年见~)