POC详情: 6892bc1da8cf799ef6f955ec71c7fb320cdfce47

来源
https://github.com/W01fh4cker/CVE-2024-22120-RCE
关联漏洞
标题: Zabbix 安全漏洞 (CVE-2024-22120)
描述:Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix存在安全漏洞,该漏洞源于对字段未进行有效清理,导致基于时间的盲SQL注入。
描述
Time Based SQL Injection in Zabbix Server Audit Log --> RCE
介绍
# CVE-2024-22120 ToolKit

# Affected Version/s

```
6.0.0 - 6.0.27
6.4.0 - 6.4.12
7.0.0alpha1
```

# Credit

https://x.com/mf0cuz

> https://support.zabbix.com/browse/ZBX-24505

> https://packetstormsecurity.com/files/137454/Zabbix-3.0.3-Remote-Command-Execution.html

# Premise

- a low-privilege user

- Have permission to execute scripts

  ![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113821013.png)

# Usage

## CVE-2024-22120-RCE

Capture packets to obtain sessionid and hostid:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113103613.png)

```
python -m pip install requests pwntools

python CVE-2024-22120-RCE.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084
```

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520112956658.png)

## CVE-2024-22120-Webshell(Unable to use in most cases)

if you already have a session ID of Administrator privileged user, try:

```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --aid fe647173d7769d55a43f161a68b256e0 --hostid 10084 --file shell.php
```

else:

```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084 --shell shell.php
```

But almost most of them cannot be written to the webshell through echo, because the execution user is zabbix:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520160457471.png)

## CVE-2024-22120-LoginAsAdmin

```shell
python CVE-2024-22120-LoginAsAdmin.py --ip 192.168.198.136 --sid decf4ef56988027d62ca1db2a00d8346 --hostid 10084
```

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520175955624.png)

test:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180010132.png)

replace then refresh:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180055161.png)

login as admin!!!

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180339314.png)
文件快照

 [4.0K]  /data/pocs/6892bc1da8cf799ef6f955ec71c7fb320cdfce47
├── [4.7K]  CVE-2024-22120-LoginAsAdmin.py
├── [5.6K]  CVE-2024-22120-RCE.py
├── [4.8K]  CVE-2024-22120-Webshell.py
└── [2.0K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。