Directory Traversal in Zimbra Collaboration Suite mboximport

This repository contains a Python exploit for CVE-2022-27925, a remote code execution vulnerability in Zimbra Collaboration Suite Network Edition (versions 9.0.0 Patch 23 and earlier, and 8.8.15 Patch 30 and earlier). The exploit works by uploading a malicious JSP webshell to the Zimbra server using a crafted ZIP archive and a vulnerable import endpoint. The main exploit logic is in 'main.py', which reads a list of target servers, attempts to upload the webshell to several possible directories using path traversal, and then accesses the webshell to execute arbitrary commands provided by the user. The payload is a JSP webshell that executes system commands via the 'cmd' parameter. The attack is performed over HTTP/HTTPS and targets the '/service/extension/backup/mboximport' endpoint for the upload, and '/zimbraAdmin/<random>.jsp' for command execution. The repository is operational and provides a working exploit with a hardcoded payload. The structure is simple, with a single code file, a README with usage instructions, and a license.

This repository contains a Nuclei template (CVE-2022-27925.yaml) for exploiting CVE-2022-27925, a critical unauthenticated remote code execution vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. The template sends a crafted POST request to the /service/extension/backup/mboximport endpoint, uploading a ZIP archive that leverages directory traversal to place a JSP webshell (cmd.jsp) in the webapps directory. The template then issues a GET request to the webshell, executing a command (e.g., 'cat /etc/passwd') and checks for evidence of successful command execution. The repository structure is minimal, consisting of the Nuclei YAML template and a brief README. The main exploit file is the YAML template, which automates the exploitation process and verification of successful code execution. No hardcoded IPs or domains are present; the template is parameterized for use against arbitrary targets.

This repository contains a Python exploit (exploit.py) targeting CVE-2022-27925 and CVE-2022-37042 in Zimbra Collaboration Suite Network Edition. The exploit leverages a path traversal vulnerability in the mboximport endpoint, combined with an authentication bypass, to upload a JSP webshell to the Zimbra server. The attacker can then interact with the webshell to execute arbitrary commands on the server. The exploit supports both single-target and multi-target modes, reading targets from a file. The README provides detailed background on the vulnerabilities, affected versions, and usage instructions. The main exploit logic is in exploit.py, which constructs a malicious ZIP file containing the webshell, uploads it via the vulnerable endpoint, and verifies successful exploitation by accessing the deployed webshell. The exploit is operational and provides remote command execution as the Zimbra user, with the potential for privilege escalation to root using a separate local exploit. No detection-only scripts are present; the code is a working exploit. The only code file is exploit.py, written in Python, and the repository is structured with standard supporting files (.gitignore, LICENSE, README.md). The main attack vector is network-based, targeting HTTPS endpoints exposed by vulnerable Zimbra servers.

This repository is a proof-of-concept exploit for CVE-2022-27925, a remote code execution vulnerability in Zimbra Collaboration Suite. The main file, 'zimbra-exploit.py', is a Python script that attempts to upload a malicious ZIP file (containing a JSP web shell) to a vulnerable Zimbra server via the '/service/extension/backup/mboximport' endpoint. The script requires the attacker to provide the target URL and a valid email address as arguments. After uploading, it checks for the presence of the web shell at '/zimbraAdmin/cmd.jsp'. The repository consists of a README and the exploit script; the ZIP files referenced as payloads are expected to be present in the working directory. The exploit leverages network access to the Zimbra server and targets endpoints that are specific to the Zimbra backup import functionality.

This repository contains a Python exploit script (exp.py) targeting Zimbra Collaboration Suite servers vulnerable to CVE-2022-27925, an unauthenticated remote code execution flaw. The exploit works by crafting a malicious ZIP file containing a JSP webshell or reverse shell, which is uploaded to the server via a vulnerable mboximport endpoint. The script supports both single-target and mass exploitation modes, and can deploy either a webshell (for arbitrary command execution via HTTP) or a reverse shell (connecting back to the attacker's machine). The README provides usage instructions and describes the required parameters. The main code file is exp.py, which handles argument parsing, payload generation, exploitation logic, and result verification. The exploit is operational and provides real remote code execution if the target is vulnerable.

This repository contains a proof-of-concept exploit for Zimbra Collaboration Suite vulnerabilities CVE-2022-37042 and CVE-2022-27925. The main file, poc.py, is a Python script that crafts a malicious ZIP archive containing a JSP web shell and uploads it to a vulnerable Zimbra server via the /service/extension/backup/mboximport endpoint. Once uploaded, the shell can be accessed at /zimbraAdmin/shell.jsp, allowing the attacker to execute arbitrary commands on the server. The exploit demonstrates remote code execution by uploading the shell and issuing a 'whoami' command. The repository structure is simple, consisting of a README and the exploit script. The exploit is operational, providing a working payload (JSP web shell) and targeting Zimbra servers accessible over the network.