How Zabbix Guest Access Enables Unauthenticated SQL Injection – Full Exploit Walkthrough

0x01 Vulnerability Overview

Zabbix is an open‑source enterprise‑level performance monitoring solution. A recent vulnerability in Zabbix’s jsrpc.php "profileIdx2" parameter allows an INSERT‑style SQL injection, enabling attackers to log into the Zabbix management interface without authentication and potentially gain operating‑system level privileges on the Zabbix server. The exploit requires that the guest account be enabled (default guest password is empty).

Reference: "Vulnerability Alert: High‑risk Zabbix SQL injection that can obtain system privileges".

0x02 Impact Assessment

Attack cost: low

Severity: high

Login required: no

Affected versions: 2.2.x, 3.0.0‑3.0.3

0x03 Vulnerability Testing

Append the following to the Zabbix URL to trigger the exploit:

Method 1 (illustrated by screenshots)

If the displayed code matches the screenshot, the vulnerability is present.

Method 2 (illustrated by screenshots)

Again, matching code indicates the vulnerability.

0x04 Real‑World Test

The exploit was tested against a Zabbix instance hosted in Japan, achieving highest‑level privileges.

0x05 Code Analysis

Target version: Zabbix 2.2.14.

Start from the poc’s jsrpc.php file and locate the "profileIdx2" parameter.

Further investigation led to the CProfile::flush method in page_footer.php, which eventually calls insertDB, causing the injection.

0x06 Mitigation

Upgrade to a patched version.

Apply the official security patch.

Disable the guest account.

0x07 Afterword

The author acknowledges remaining unknowns and notes that some information was gathered from the internet.

Author: secange

Source: http://www.secange.com/2017/10/zabbix%E9%AB%98%E5%8D%B1sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/