来源

关联漏洞

描述

A Python-based reconnaissance scanner for safely identifying potential exposure to SharePoint vulnerability CVE-2025-53770.

介绍

# CVE-2025-53770 Scanner by DanSec

**A simple, effective reconnaissance tool to identify potential exposure to the critical SharePoint vulnerability CVE-2025-53770.**


> [!Warning]
>
>**This tool is intended for authorised testing purposes only.**  
>The author (`DanSec`) takes **no responsibility** for misuse or damage caused by unauthorised scanning or usage. Ensure you have explicit permission to scan any domain or service before using this tool.


## About CVE-2025-53770

**CVE-2025-53770 ("ToolShell")** is a critical vulnerability affecting on-premises SharePoint Server versions 2016, 2019, and Subscription Edition.  

It enables unauthenticated remote code execution (RCE) via:

- Authentication bypass by header spoofing (CVE-2025-53771)
- Upload of a malicious ASPX web shell (`spinstall0.aspx`)
- Extraction of cryptographic secrets from `web.config`
- Unsafe deserialization exploiting `ViewState` to execute code remotely

This vulnerability has been actively exploited, prompting urgent warnings from authorities worldwide.

**For detailed information:**

- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html)
- [Rapid7 Analysis](https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/)

---

## What Does This Scanner Do?

- Performs subdomain enumeration (using `Sublist3r` and `crt.sh`) to identify potential SharePoint hosts.
- Safely checks each discovered subdomain for signs of vulnerability to CVE-2025-53770.
- Outputs results in a structured CSV file for easy review.

**This scanner DOES NOT exploit the vulnerability.** It merely identifies potential points of exposure.

---

## Installation

Clone the repository and install dependencies:

```bash
git clone https://github.com/Sec-Dan/CVE-2025-53770-Scanner.git
cd CVE-2025-53770-scanner
pip install -r requirements.txt
```

---

## Usage

```bash
python spScanner.py <target_domain> [options]
```

**Example:**

```bash
python spScanner.py example.com --threads 5 --retries 2
```

## Available Flags

| Flag              | Description                                        | Default   |
| ----------------- | -------------------------------------------------- | --------- |
| `<target_domain>` | Root domain to scan (required)                     | -         |
| `-o, --output`    | CSV output filename                                | `CVE-2025-53770_output.csv` |
| `--passive`       | Run a passive scan (skip subdomain enumeration)    | Disabled  |
| `--threads`       | Number of concurrent scan threads                  | `1`       |
| `--retries`       | Number of retries per host                         | `1`       |
| `--rate-limit`    | Max requests per second (0 for unlimited)          | `0`       |

---

## Interpreting Results

- **VULNERABLE (Red):** HTTP 200 OK responses, potentially vulnerable
- **CLEAN (Green):** Other HTTP responses, likely not exposed
- **ERRORS (Yellow):** Connection or network errors

The resulting CSV file will contain detailed status for each scanned subdomain.

---

## Responsible Usage

- **Always obtain explicit authorization** before scanning.
- Inform stakeholders before initiating scans, especially in sensitive environments.
- Use only on systems you own, manage, or have explicit consent to test.

---

## Issues & Contributions

Found a bug or have a feature request? Open an issue or pull request!

**Stay safe, and happy scanning!**  
— *DanSec*

文件快照

 [4.0K]  /data/pocs/0d21f6002c927d782b0a34813356093f81a2f37e
├── [3.5K]  README.md
├── [  24]  requirements.txt
├── [1.1K]  splash.txt
└── [7.8K]  spScanner.py

0 directories, 4 files

备注