Unable to reproduce SQL injection in Zabbix 3.0.x via crawling

Created by: brandonprry

Hi,

Watching my email this afternoon, I noticed a SQL injection vulnerability for Zabbix was released.

http://seclists.org/fulldisclosure/2016/Aug/60

I decided to see if I could reproduce it to write a Metasploit module, but also decided to see if I could reproduce the issue with Arachni with sane defaults. The Zabbix front end is a basic PHP front end with some fancy javascript and is easily crawlable for the most part.

However, some of the filter forms in the UI are JS-based making AJAX call. I was hoping that the Phantom engine would make easy work of them, but I am also not 100% sure I am using arachni correctly to enable the use of Phantom to begin with.

Arachni detects the SQL injection if I pass the vulnerable URL directly with an up to date CSRF token and --http-cookie-string. However, letting Arachni crawl it does not. I can easily reproduce the path to the vulnerable HTTP request in the UI.

Not sure what information is useful. It may be wishful thinking to detect it. :)

I am testing against zabbix-frontend-php 3.0.3. The command I am running is: ./arachni --input-value .*:a --http-cookie-string "PHPSESSID=9rb0d293rcu2narujm9g56f0m4; tab=0; zbx_sessionid=ed0ad759ceed8ba8e7f5258e31e52777" --checks sql* --scope-exclude-pattern reconnect http://172.18.20.39/zabbix/index.php. The --input-value is so that I know that arachni is testing with a simple value that should bring up general search terms.