-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathhttp-vuln-exchange-proxyshell.nse
43 lines (34 loc) · 1.19 KB
/
http-vuln-exchange-proxyshell.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local strbuf = require "strbuf"
description = [[
Check for Exchange Server CVE-2021-34473
by trying to access OWA as NT AUTHORITY\SYSTEM
Known issues - requires a valid SSL certificate if using SSL/TLS
]]
---
--@output
--PORT STATE SERVICE
-- 443/tcp open https
-- |_http-vuln-exchange-proxyshell: ** Vulnerable to ProxyShell SSRPF **
author = "Kevin Beaumont"
license = "GPLv3"
categories = {"default", "discovery", "safe", "exploit"}
portrule = shortport.http
local last_len = 0
action = function(host, port)
local dis_count, noun
options = {redirect_ok = false}
local answer = http.get(host, port, "/autodiscover/[email protected]/owa/?&Email=autodiscover/autodiscover.json%[email protected]", options)
if answer.status == 400 then
return "Not vulnerable to ProxyShell SSRF"
elseif answer.status == 302 then
return "** Vulnerable to ProxyShell SSRF **"
else
return "Unknown error code returned - " .. answer.status .. " - maybe not an Exchange server"
end
local v_level = nmap.verbosity() + (nmap.debugging()*2)
local output = strbuf.new()
local detail = 15
end