关联漏洞
描述
Detection rules for CVE-2025-53770
介绍
# suricata-rule-CVE-2025-53770
Detection rules for CVE-2025-53770
```
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET EXPLOIT SharePoint RCE ToolShell CVE-2025-53770"; http.method; content: "POST"; flow: established, to_server; http.uri; pcre:"/\/_layouts\/\d+\/[^?]+\.aspx\?DisplayMode=Edit&a=\/[^?]+\.aspx/"; http.accept_enc; content:"gzip, deflate"; http.referer; content: "/_layouts/SignOut.aspx"; http.request_body; content: "MSOTlPn_DWP"; content:"_controltemplates"; content: "AclEditor.ascx"; content: "CompressedDataTable"; content: "Scorecard"; content: "ExcelDataSet"; reference: url,https://research.eye.security/sharepoint-under-siege/; reference: url,https://github.com/kaizensecurity/CVE-2025-53770/tree/master; reference: url, https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/; classtype:web-application-attack; sid:1000000; rev: 1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ET EXPLOIT SharePoint RCE ToolShell CVE-2025-53770"; http.method; content: "GET"; flow: established, to_server; http.uri; pcre:"/\/_layouts\/\d+\/[^?]+\.aspx/"; http.referer; content: "/_layouts/SignOut.aspx"; reference: url,https://research.eye.security/sharepoint-under-siege/; reference: url,https://github.com/kaizensecurity/CVE-2025-53770/tree/master; reference: url, https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/; classtype:web-application-attack; sid:1000001; rev: 1;)
```
文件快照
[4.0K] /data/pocs/8554d55a8ca316f436035ecc4d6ea13d8bdae72a
├── [1.5K] README.md
├── [ 551] SharepointGET.pcap
└── [9.2K] SharepointPOST.pcap
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。