Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-42327 PoC — Zabbix SQL注入漏洞

Source
https://github.com/BridgerAlderson/Zabbix-CVE-2024-42327-SQL-Injection-RCE
Associated Vulnerability
Title:Zabbix SQL注入漏洞 (CVE-2024-42327)
Description:Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix 6.0.0至6.0.31版本、6.4.0至6.4.16版本和7.0.0版本存在SQL注入漏洞,该漏洞源于CUser类的addRelatedObjects函数中存在SQL注入漏洞,允许攻击者操纵数据库查询。
Description
Zabbix CVE-2024-42327 PoC
Readme
# Zabbix-CVE-2024-42327 PoC 
        _______    ________    ___   ____ ___  __ __        __ __ ___  ________  _____
      / ____/ |  / / ____/   |__ \ / __ \__ \/ // /       / // /|__ \|__  /__ \/__  /
     / /    | | / / __/________/ // / / /_/ / // /_______/ // /___/ / /_ <__/ /  / / 
    / /___  | |/ / /__/_____/ __// /_/ / __/__  __/_____/__  __/ __/___/ / __/  / /  
    \____/  |___/_____/    /____/\____/____/ /_/          /_/ /____/____/____/ /_/   
    
NSFOCUS CERT detected that Zabbix released a security announcement and fixed the SQL injection vulnerability (CVE-2024-42327) of Zabbix server. Due to the SQLi vulnerability in the CUser class in the addRelatedObjects function, attackers with default user permission or API access can call the CUser.get function. This could lead to unauthorized access to sensitive information or the execution of arbitrary SQL statements. The CVSS score is 9.9.

This PoC exploits this sql injection vulnerability, for the time-based SQL injection approach, we need to extract the sessions table from the database to determine if the Admin user is logged in. This script provided a multi-threaded script to expedite the extraction of the admin session for further exploitation. With the API token of the admin user, we proceed to create an item and then we can trigger that item. We then get a reverse shell by sending a payload.

To summarise, this tool extracts the admin session ID (admin_session) with time-based SQL injection using the Zabbix API and then sends a reverse shell command to the target system using this ID. First, the script receives the user's credentials, sends an authentication request to the Zabbix API and receives auth_token. Then, it extracts the admin_session ID using SQL injection. The extracted admin_session ID is used to retrieve the host and interface IDs with the host.get request to the Zabbix API. Finally, an item.create request containing the reverse shell command is sent with the obtained host and interface IDs. In this way, a reverse shell is opened on the target server and a connection is established.

NOTE : Sometimes the admin session value may not be found exactly, for example, it may find 23 characters instead of 32 characters, in this case, the problem will probably be solved when you run the script again.
File Snapshot

 [4.0K]  /data/pocs/40c4bb9eb4c665a24831aedf7191088a07f362b0
├── [6.8K]  exploit.py
└── [2.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.