POC详情: f37b9c3d6e241a04f85caf22de475ae20118b042

来源
https://github.com/isPique/CVE-2024-22120-RCE-with-gopher
关联漏洞
标题: Zabbix 安全漏洞 (CVE-2024-22120)
描述:Zabbix是Zabbix公司的一套开源的监控系统。该系统支持网络监控、服务器监控、云监控和应用监控等。 Zabbix存在安全漏洞,该漏洞源于对字段未进行有效清理,导致基于时间的盲SQL注入。
描述
This is my exploit for CVE-2024-22120, which involves an SSRF vulnerability inside an XXE with a Gopher payload.
介绍
# Usage

```bash
python exploit.py --ip <Zabbix_IP> --sid <LowPrivileged_SID> --hostid <HostID> --phpsessid <PHPSESSID> --false_time <FalseTime> --true_time <TrueTime>
```

### Example Scenario
You have identified a Zabbix server running on IP `192.168.1.100`, and you have access to a low-privileged user with the following details:
- Session ID (`sid`): `d82bf6715e1d3c1f25`
- Host ID (`hostid`): `10107`
- PHP session ID (`phpsessid`): `a4g7f48d9j3r7h8s9g`

You want to exploit the RCE vulnerability using this script.

### Running the Script

```bash
python exploit.py --ip 192.168.1.100 --sid d82bf6715e1d3c1f25 --hostid 10107 --phpsessid a4g7f48d9j3r7h8s9g --false_time 1 --true_time 3
```

### Parameters Explanation:
- `--ip 192.168.1.100`: The IP address of the Zabbix server.
- `--sid d82bf6715e1d3c1f25`: The session ID of a low-privileged user.
- `--hostid 10107`: The ID of a host that the low-privileged user can access.
- `--phpsessid a4g7f48d9j3r7h8s9g`: The PHP session ID used to authenticate requests.
- `--false_time 1`: Time in seconds to sleep in case of a wrong guess during the SQL injection (default is 1 second).
- `--true_time 3`: Time in seconds to sleep in case of a correct guess during the SQL injection (default is 3 seconds).

### What Happens Next:
1. The script will start by attempting to extract the admin session ID using a time-based SQL injection.
2. Once the admin session ID is obtained, the script will create a reverse shell script on the Zabbix server.
3. Finally, the script will execute the reverse shell, connecting back to your machine on the specified IP and port (`10.0.46.27:5555` in the script).

### Notes:
- Make sure that your machine is listening on the specified port (`5555` in the script) to catch the reverse shell. You can use `netcat` for this:

  ```bash
  nc -lvnp 5555
  ```

- Replace the IP `10.0.46.27` and port `5555` in the `CreateScript` function with your own IP and desired port to receive the reverse shell.
文件快照

 [4.0K]  /data/pocs/f37b9c3d6e241a04f85caf22de475ae20118b042
├── [6.2K]  exploit.py
└── [1.9K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。