Zimbra-SOAP-API開發指南part 2
0x00 前言
在上一篇文章《Zimbra-SOAP-API開發指南》介紹了Zimbra SOAP API的調用方法,開源代碼Zimbra_SOAP_API_Manage。本文將要在此基礎上擴充功能,添加使用管理員許可權可以實現的功能。
0x01 簡介
本文將要介紹以下內容:
·獲得指定郵箱用戶的token
·通過clientUploader插件向伺服器上傳文件
·日誌檢測
0x02 獲得指定郵箱用戶的token
說明文檔:https://files.zimbra.com/docs/soap_api/8.8.15/api-reference/zimbraAdmin/DelegateAuth.html
對應命名空間為zimbraAdmin
請求的地址為:uri ":7071/service/admin/soap"
根據說明文檔中的SOAP格式,可通過以下Python代碼實現:
返回的結果如下:
提取出authToken值可以用於郵箱登錄,登錄方法如下:
進入Zimbra郵箱登錄的Web頁面,添加以下Cookie信息:
Name:ZM_AUTH_TOKEN Value:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
在登錄頁面輸入郵箱用戶名稱,不需要輸入口令,點擊登錄。
Chrome瀏覽器添加Cookie的方法:
在Chrome瀏覽器中按下F12,開啟開發者工具,選擇Application標籤。
依次打開Storage->Cookies
0x03 通過clientUploader插件向伺服器上傳文件
這裡需要注意上傳文件的操作需要在請求頭(Request Headers)中設置Content-Type為multipart/form-data; boundary=$,格式示例:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno
完整的數據包格式示例:
POST /service/extension/clientUploader/upload HTTP/1.1
Host: mail.xx.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno
Content-Length: 400
Cookie:ZM_ADMIN_AUTH_TOKEN=0_530bf417d0f3e55ed628e4671e44b1dea4652bab_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343835323934303131393b61646d696e3d313a313b
Upgrade-Insecure-Requests:1
------WebKitFormBoundary1abcdefghijklmno
Content-Disposition:form-data;name="file";filename="test.jsp"
Content-Type: image/jpeg
test12345
------WebKitFormBoundary1abcdefghijklmno--
其中,------WebKitFormBoundary1abcdefghijklmno為分隔符,------WebKitFormBoundary1abcdefghijklmno--為結束符
如果未設置該屬性,上傳文件的操作會會失敗,返回結果如下:
在Python腳本的編寫過程中,如果直接在Headers中加入屬性:Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno,示例代碼如下:
headers["Content-Type"]="multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno"
這樣會產生bug,無法成功
此時的數據包格式如下:
POST /service/extension/clientUploader/upload HTTP/1.1
Host: mail.xx.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno
Content-Length: 400
Cookie:ZM_ADMIN_AUTH_TOKEN=0_530bf417d0f3e55ed628e4671e44b1dea4652bab_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343835323934303131393b61646d696e3d313a313b
Upgrade-Insecure-Requests:1
------3c4bc2fbc2368a87e5def7b234fd126b
Content-Disposition:form-data;name="file";filename="test.jsp"
Content-Type: image/jpeg
test12345
------3c4bc2fbc2368a87e5def7b234fd126b--
發現分隔符和結束符為重新隨機生成的數值,而不是我們在請求頭(Request Headers)中設置的----WebKitFormBoundary1abcdefghijklmno
所以Python代碼需要做修改,這裡給出一種解決方法:使用requests_toolbelt庫。
代碼示例:
? fileContent = 0;
? path = input("[*] Input the path of the file:")
? with open(path,"r") as f:
? ? ? fileContent = f.read()
? filename = path
? print("[*] filepath:" path)
? print("[*] filedata:" fileContent)
? headers = {
? "Content-Type":"application/xml"
? }?
? headers["Content-Type"]="multipart/form-data; boundary=----WebKitFormBoundary1abcdefghijklmno"
? headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN=" token ";"
? m = MultipartEncoder(fields={
? "filename1":(None,"test",None),
? "clientFile":(filename,fileContent,"image/jpeg"),
? "requestId":(None,"12345",None),
? }, boundary = "----WebKitFormBoundary1abcdefghijklmno")
? r = requests.post(uri "/service/extension/clientUploader/upload",data=m,headers=headers,verify=False)
? if "window.parent._uploadManager.loaded(1," in r.text:
? ? ? print("[ ] Upload Success!")
? ? ? print("[ ] URL:%s/downloads/%s"%(uri,filename))
? else:
? ? ? print("[!]")
? ? ? print(r.text)
? ? ? exit(0)
上傳成功後,路徑為downloads目錄,經過驗證的用戶才能訪問。
0x04 開源代碼
新的代碼已上傳至github,地址如下:
https://github.com/3gstudent/Homework-of-Python/blob/master/Zimbra_SOAP_API_Manage.py
增加了以下兩個功能:
·Gettoken
·upload
同時增加了對CVE-2019-9621 SSRF漏洞的支持,在郵件伺服器關閉了7071管理埠的情況下,通過SSRF漏洞實現對管理資源的訪問。
0x05 日誌檢測
登錄日誌的位置為/opt/zimbra/log/mailbox.log
其他種類的郵件日誌可參考https://wiki.zimbra.com/wiki/Log_Files
0x06 小結
本文擴充了Zimbra SOAP API的調用方法,添加兩個實用功能:獲得指定郵箱用戶的token和通過clientUploader插件向伺服器上傳文件,記錄實現細節。