关联漏洞
标题:
Zabbix SQL注入漏洞
(CVE-2024-42327)
描述:Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix 6.0.0至6.0.31版本、6.4.0至6.4.16版本和7.0.0版本存在SQL注入漏洞,该漏洞源于CUser类的addRelatedObjects函数中存在SQL注入漏洞,允许攻击者操纵数据库查询。
描述
Zabbix CVE-2024-42327 PoC
介绍
# Zabbix-CVE-2024-42327 PoC
_______ ________ ___ ____ ___ __ __ __ __ ___ ________ _____
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / / // /|__ \|__ /__ \/__ /
/ / | | / / __/________/ // / / /_/ / // /_______/ // /___/ / /_ <__/ / / /
/ /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/__ __/ __/___/ / __/ / /
\____/ |___/_____/ /____/\____/____/ /_/ /_/ /____/____/____/ /_/
NSFOCUS CERT detected that Zabbix released a security announcement and fixed the SQL injection vulnerability (CVE-2024-42327) of Zabbix server. Due to the SQLi vulnerability in the CUser class in the addRelatedObjects function, attackers with default user permission or API access can call the CUser.get function. This could lead to unauthorized access to sensitive information or the execution of arbitrary SQL statements. The CVSS score is 9.9.
This PoC exploits this sql injection vulnerability, for the time-based SQL injection approach, we need to extract the sessions table from the database to determine if the Admin user is logged in. This script provided a multi-threaded script to expedite the extraction of the admin session for further exploitation. With the API token of the admin user, we proceed to create an item and then we can trigger that item. We then get a reverse shell by sending a payload.
To summarise, this tool extracts the admin session ID (admin_session) with time-based SQL injection using the Zabbix API and then sends a reverse shell command to the target system using this ID. First, the script receives the user's credentials, sends an authentication request to the Zabbix API and receives auth_token. Then, it extracts the admin_session ID using SQL injection. The extracted admin_session ID is used to retrieve the host and interface IDs with the host.get request to the Zabbix API. Finally, an item.create request containing the reverse shell command is sent with the obtained host and interface IDs. In this way, a reverse shell is opened on the target server and a connection is established.
NOTE : Sometimes the admin session value may not be found exactly, for example, it may find 23 characters instead of 32 characters, in this case, the problem will probably be solved when you run the script again.
文件快照
[4.0K] /data/pocs/40c4bb9eb4c665a24831aedf7191088a07f362b0
├── [6.8K] exploit.py
└── [2.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。