CVE-2021-26855 ssrf golang version
-Exchange Server 2013 < CU23
-Exchange Server 2016 < CU18
-Exchange Server 2019 < CU7
This vulnerability is different from previous exchange vulnerabilities. This vulnerability does not require a user identity that can log in. It can obtain internal user resources without authorization. With CVE-2021-27065, remote command execution can be performed.
Requirements
-The target exchange server must be a load balancing server, that is, two or more servers are used at the same time
-The target email address. Note that this address needs to be an email address within the domain instead of an email address. There are differences between the two
-The attacker must also identify the fully qualified domain name (FQDN) of the internal Exchange server
Among the above four items, FQDN can be captured by ntlm type2 message; email addresses can be directly enumerated.
To exploit this vulnerability, it is more convenient to use a scripting language such as ruby python. Writing in golang is mainly for learning golang, so this small tool can only be regarded as a semi-finished product and will be updated when there is time.
This tool supports vulnerability detection, user enumeration, and can realize simple mail id and header reading (in fact, it is xml content modification) Follow-up use can refer to 8581, all of which are to submit xml.
Usage:
go run CVE-2021-21978.go -h <target ip>
-h string Required, target address or domain name
-U string Optional, need to enumerate user list
-d Optional, download email
-l Optional, list mailing list
-n string Optional, need to specify FQND to fill in
-t string Optional, request delay time (default "1")
-u string Optional, specify target (default "administrator")
Update download function
