0x00 Preface

---

This article will further expand the functionality of the open-source code Zimbra_SOAP_API_Manage, implementing email forwarding by modifying configurations through the Zimbra SOAP API, and sharing development details.

0x01 Introduction

---

This article will cover the following topics:

  • Adding email forwarding
  • Viewing email forwarding configurations
  • Viewing folder sharing configurations
  • Open-source code

0x02 Adding Email Forwarding

---

Zimbra supports forwarding received emails to another mailbox. The operation method via the web interface is as follows:

After logging into the mailbox, navigate to Preferences -> Mail, as shown in the figure below

Alt text

After setting up the forwarding email, click Save

If you want to forward to multiple email addresses, you can use , to separate them. An example of forwarding to two email addresses simultaneously: [email protected],[email protected]

Next, analyze the implementation process by packet capture, and then use a program to implement this functionality

Example of SOAP format obtained from packet capture:




[email protected]


Implementation code example:

def addforward_request(uri,token):
print("[*] Input the mailbox to forward:")
print(" Eg :[email protected],test2@@test.com")
mailbox = input("[>]: ")
request_body="""


{token}






{mailbox}




"""
try:
r=requests.post(uri+"/service/soap",headers=headers,data=request_body.format(token=token,mailbox=mailbox),verify=False,timeout=15)
if r.status_code == 200:
print("[+] Add success")
else:
print(r.status_code)
print(r.text)

except Exception as e:
print("[!] Error:%s"%(e))

To clear the email forwarding settings, simply set the email address to empty

0x03 View Email Forwarding Configuration

---

Before adding email forwarding, we typically need to first obtain the email forwarding configuration.

Through packet capture, it was discovered that when accessing the web homepage, if email forwarding settings exist, the returned data will include the following additional content:

"zimbraPrefMailForwardingAddress":"[email protected]"

If email forwarding settings do not exist, the returned data will not contain the string zimbraPrefMailForwardingAddress.

In terms of program implementation, accessing the web homepage requires adding a Cookie, and then filtering out the specified content using regular expressions.

Example implementation code:

def getforward_request(uri,token):
try:
headers["Cookie"]="ZM_AUTH_TOKEN="+token+";"
r=requests.get(uri,headers=headers,verify=False,timeout=15)
if r.status_code == 200 and 'zimbraPrefMailForwardingAddress' in r.text:
print("[+] Forward")
pattern_name = re.compile(r"\"zimbraPrefMailForwardingAddress\":\"(.*?)\"")
name = pattern_name.findall(r.text)
print(" " + name[0])
else:
print(r.status_code)
print("[-] No Forward")

except Exception as e:
print("[!] Error:%s"%(e))

0x04 View Folder Sharing Configuration

---

The previous article "Zimbra-SOAP-API Development Guide 4 - Email Export and Folder Sharing" lacked a method for viewing folder sharing configuration. This article serves as a supplement.

Analyze through packet capture

Example of URL sent: https:///service/soap/BatchRequest

Example of content sent:

{"Header":{"context":{"_jsns":"urn:zimbra","userAgent":{"name":"ZimbraWebClient - GC103 (Win)","version":"8.8.12_GA_3844"},"session":{"_content":123,"id":123},"account":{"_content":"[email protected]","by":"name"},"csrfToken":"0_71c4fc5d29c57ec1863d1630a77bb4834f0cd67c"}},"Body":{"BatchRequest":{"_jsns":"urn:zimbra","onerror":"continue","GetFolderRequest":[{"_jsns":"urn:zimbraMail","folder":{"l":"2"},"requestId":0}]}}}

Example of content returned:

{"Header":{"context":{"session":{"id":"123","_content":"123"},"change":{"token":151},"_jsns":"urn:zimbra"}},"Body":{"BatchResponse":{"GetFolderResponse":[{"folder":[{"id":"2","uuid":"68dd08c1-26ea-4460-9716-14eee9103a45","deletable":false,"name":"Inbox","absFolderPath":"/Inbox","l":"1","luuid":"0e366bb5-f76c-40ce-9a92-28def5720d67","f":"ui","u":14,"view":"message","rev":1,"ms":147,"webOfflineSyncDays":30,"activesyncdisabled":false,"n":14,"s":24088,"i4ms":112,"i4next":273,"acl":{"grant":[{"zid":"f87692f9-0ab9-441d-9870-ef5b6dd6f375","gt":"usr","perm":"r","d":"[email protected]"}]}}],"requestId":"0","_jsns":"urn:zimbraMail"}],"_jsns":"urn:zimbra"}},"_jsns":"urn:zimbraSoap"}

From the above content, it can be seen that the relevant request is GetFolderRequest

View the usage of GetFolderRequest: https://files.zimbra.com/docs/soap_api/8.8.15/api-reference/zimbraMail/GetFolder.html

Based on previous accumulation, this can also be achieved through the Zimbra SOAP API by sending a GetFolderRequest and filtering the returned content

Example of data content for file sharing in the inbox:

In program implementation, if the character exists in the returned result, it indicates the presence of file sharing, and the corresponding data can be extracted

Implementation code example:

def getshare_request(uri,token):
request_body="""


{token}







"""
try:
r=requests.post(uri+"/service/soap",headers=headers,data=request_body.format(token=token),verify=False,timeout=15)
if r.status_code == 200 and '' in r.text:
print("[+] Folder Share")
pattern_name = re.compile(r"")
folders = pattern_name.findall(r.text)
for i in range(len(folders)):
if '' in folders[i]:
pattern_name = re.compile(r"name=\"(.*?)\"")
name = pattern_name.findall(folders[i])
pattern_name = re.compile(r"(.*?)")
acl = pattern_name.findall(r.text)
print(" " + name[len(name)-1] + ":")
print(" " + acl[0])
else:
print(r.status_code)
print(r.text)
print("[-] No Folder Share")

except Exception as e:
print("[!] Error:%s"%(e))

Example of returned result:

Inbox:

When deleting folder sharing, you need to fill in the zid and the number 2 corresponding to Inbox

0x05 Open Source Code

---

New code has been uploaded to GitHub at the following address:

An open-source project

Added the following four features:

  • AddForward: Add email forwarding
  • GetForward: View email forwarding
  • GetShare: View folder sharing
  • RemoveForward: Clear email forwarding settings

0x05 Summary

---

This article expands the Zimbra SOAP API calling methods, adding four practical features. The implementation methods and approaches can also be tested on XSS vulnerabilities.