Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-42327 PoC — SQL injection in user.get API

Source
https://github.com/BridgerAlderson/Zabbix-CVE-2024-42327-SQL-Injection-RCE
Associated Vulnerability
Title:SQL injection in user.get API (CVE-2024-42327)
Description:A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Description
Zabbix CVE-2024-42327 PoC
Readme
# Zabbix-CVE-2024-42327 PoC 
        _______    ________    ___   ____ ___  __ __        __ __ ___  ________  _____
      / ____/ |  / / ____/   |__ \ / __ \__ \/ // /       / // /|__ \|__  /__ \/__  /
     / /    | | / / __/________/ // / / /_/ / // /_______/ // /___/ / /_ <__/ /  / / 
    / /___  | |/ / /__/_____/ __// /_/ / __/__  __/_____/__  __/ __/___/ / __/  / /  
    \____/  |___/_____/    /____/\____/____/ /_/          /_/ /____/____/____/ /_/   
    
NSFOCUS CERT detected that Zabbix released a security announcement and fixed the SQL injection vulnerability (CVE-2024-42327) of Zabbix server. Due to the SQLi vulnerability in the CUser class in the addRelatedObjects function, attackers with default user permission or API access can call the CUser.get function. This could lead to unauthorized access to sensitive information or the execution of arbitrary SQL statements. The CVSS score is 9.9.

This PoC exploits this sql injection vulnerability, for the time-based SQL injection approach, we need to extract the sessions table from the database to determine if the Admin user is logged in. This script provided a multi-threaded script to expedite the extraction of the admin session for further exploitation. With the API token of the admin user, we proceed to create an item and then we can trigger that item. We then get a reverse shell by sending a payload.

To summarise, this tool extracts the admin session ID (admin_session) with time-based SQL injection using the Zabbix API and then sends a reverse shell command to the target system using this ID. First, the script receives the user's credentials, sends an authentication request to the Zabbix API and receives auth_token. Then, it extracts the admin_session ID using SQL injection. The extracted admin_session ID is used to retrieve the host and interface IDs with the host.get request to the Zabbix API. Finally, an item.create request containing the reverse shell command is sent with the obtained host and interface IDs. In this way, a reverse shell is opened on the target server and a connection is established.

NOTE : Sometimes the admin session value may not be found exactly, for example, it may find 23 characters instead of 32 characters, in this case, the problem will probably be solved when you run the script again.
File Snapshot

 [4.0K]  /data/pocs/40c4bb9eb4c665a24831aedf7191088a07f362b0
├── [6.8K]  exploit.py
└── [2.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →