Zabbix 2.2.x, 3.0.x SQL注射漏洞修复方法

1.漏洞测试

在您的zabbix的地址后面加上如下url：

jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

我的地址如下：

http://10.192.1168.153/zabbix/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

输出结果，如下表示漏洞存在：

<div class="flickerfreescreen" id="flickerfreescreen_1" data-timestamp="1471403798083" style="position: relative;"></div><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr><td class="msg" colspan="1"><ul class="messages"><li class="error">reset() expects parameter 1 to be array, null given [jsrpc.php:208 → CScreenHistory->get() → reset() in /var/www/html/zabbix/include/classes/screens/CScreenHistory.php:106]</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (1294, 1, 'web.item.graph.period', '3600', 2, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (1295, 1, 'web.item.graph.stime', '20160817050632', 3, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li><li class="error">Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (1296, 1, 'web.item.graph.isnow', '0', 2, 1 or updatexml(1,md5(0x11),1) or 1=1)#)] [XPATH syntax error: 'ed733b8d10be225eceba344d533586']</li></ul></td></tr></table>

2.修复方案

1).升级包链接地址[https://support.zabbix.com/browse/ZBX-11023](https://support.zabbix.com/browse/ZBX-11023)

2).暴力的修补方法是对CProfile类的flush方法中注入参数做强制整形转换即可 /var/www/html/zabbix/include/classes/user/CProfile.php:

public static function flush() {
$result = false;

if (self::$profiles !== null && self::$userDetails['userid'] > 0 && self::isModified()) {
$result = true;

foreach (self::$insert as $idx => $profile) {
foreach ($profile as $idx2 => $data) {
$result &= self::insertDB($idx, $data['value'], $data['type'],zbx_dbstr($idx2));
}
}

ksort(self::$update);
foreach (self::$update as $idx => $profile) {
ksort($profile);
foreach ($profile as $idx2 => $data) {
//这里用intval($idx2)或者zbx_dbstr($idx2)替换原来的$idx2
$result &= self::updateDB($idx, $data['value'], $data['type'], zbx_dbstr($idx2));
}
}
}

return $result;
}

修改后再用原漏洞测试Url,结果如下：

<div class="flickerfreescreen" id="flickerfreescreen_1" data-timestamp="1471403798083" style="position: relative;"></div><table class="msgerr" cellpadding="0" cellspacing="0" id="msg_messages" style="width: 100%;"><tr><td class="msg" colspan="1"><ul class="messages"><li class="error">reset() expects parameter 1 to be array, null given [jsrpc.php:208 → CScreenHistory->get() → reset() in /var/www/html/zabbix/include/classes/screens/CScreenHistory.php:106]</li></ul></td></tr></table>

参考文档：
http://www.cnbraid.com/2016/08/18/zabbix303/ http://www.oschina.net/news/76236/zabbix-sql http://seclists.org/fulldisclosure/2016/Aug/60 http://seclists.org/fulldisclosure/2016/Aug/79