Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2024-22120 PoC — Time Based SQL Injection in Zabbix Server Audit Log

Source
https://github.com/isPique/CVE-2024-22120-RCE-with-gopher
Associated Vulnerability
Title:Time Based SQL Injection in Zabbix Server Audit Log (CVE-2024-22120)
Description:Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Description
This is my exploit for CVE-2024-22120, which involves an SSRF vulnerability inside an XXE with a Gopher payload.
Readme
# Usage

```bash
python exploit.py --ip <Zabbix_IP> --sid <LowPrivileged_SID> --hostid <HostID> --phpsessid <PHPSESSID> --false_time <FalseTime> --true_time <TrueTime>
```

### Example Scenario
You have identified a Zabbix server running on IP `192.168.1.100`, and you have access to a low-privileged user with the following details:
- Session ID (`sid`): `d82bf6715e1d3c1f25`
- Host ID (`hostid`): `10107`
- PHP session ID (`phpsessid`): `a4g7f48d9j3r7h8s9g`

You want to exploit the RCE vulnerability using this script.

### Running the Script

```bash
python exploit.py --ip 192.168.1.100 --sid d82bf6715e1d3c1f25 --hostid 10107 --phpsessid a4g7f48d9j3r7h8s9g --false_time 1 --true_time 3
```

### Parameters Explanation:
- `--ip 192.168.1.100`: The IP address of the Zabbix server.
- `--sid d82bf6715e1d3c1f25`: The session ID of a low-privileged user.
- `--hostid 10107`: The ID of a host that the low-privileged user can access.
- `--phpsessid a4g7f48d9j3r7h8s9g`: The PHP session ID used to authenticate requests.
- `--false_time 1`: Time in seconds to sleep in case of a wrong guess during the SQL injection (default is 1 second).
- `--true_time 3`: Time in seconds to sleep in case of a correct guess during the SQL injection (default is 3 seconds).

### What Happens Next:
1. The script will start by attempting to extract the admin session ID using a time-based SQL injection.
2. Once the admin session ID is obtained, the script will create a reverse shell script on the Zabbix server.
3. Finally, the script will execute the reverse shell, connecting back to your machine on the specified IP and port (`10.0.46.27:5555` in the script).

### Notes:
- Make sure that your machine is listening on the specified port (`5555` in the script) to catch the reverse shell. You can use `netcat` for this:

  ```bash
  nc -lvnp 5555
  ```

- Replace the IP `10.0.46.27` and port `5555` in the `CreateScript` function with your own IP and desired port to receive the reverse shell.
File Snapshot

 [4.0K]  /data/pocs/f37b9c3d6e241a04f85caf22de475ae20118b042
├── [6.2K]  exploit.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →