CVE-2024-22120: Time Based SQL Injection in Zabbix Server Audit Log
PoC: https://support.zabbix.com/secure/attachment/236280/236280_zabbix_server_time_based_blind_sqli.py
#exploit #pentest
Affected and fixed version/s:
* 6.0.0 - 6.0.27 / 6.0.28rc1
* 6.4.0 - 6.4.12 / 6.4.13rc1
* 7.0.0alpha1 - 7.0.0beta1 / 7.0.0beta2
Allows to dump any values from database. As an example of exploit above allows privilege escalation from user to admin. In some cases, SQL injection leads to RCE.
PoC: https://support.zabbix.com/secure/attachment/236280/236280_zabbix_server_time_based_blind_sqli.py
#exploit #pentest