{"id":10479,"date":"2025-07-18T12:36:19","date_gmt":"2025-07-18T05:36:19","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10479"},"modified":"2026-02-05T12:36:26","modified_gmt":"2026-02-05T05:36:26","slug":"lo-hong-nghiem-trong-trong-sharepoint-cho-phep-thuc-thi-ma-tu-xa-qua-xml-doc-hai","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/18\/lo-hong-nghiem-trong-trong-sharepoint-cho-phep-thuc-thi-ma-tu-xa-qua-xml-doc-hai\/","title":{"rendered":"L\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong SharePoint cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa qua XML \u0111\u1ed9c h\u1ea1i"},"content":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong Microsoft SharePoint, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 x\u00e1c th\u1ef1c th\u1ef1c thi m\u00e3 t\u1eeb xa b\u1eb1ng c\u00e1ch l\u1ee3i d\u1ee5ng c\u01a1 ch\u1ebf x\u1eed l\u00fd WebPart. V\u1ea5n \u0111\u1ec1 n\u1eb1m \u1edf qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n trong h\u1ec7 th\u1ed1ng, qua \u0111\u00f3 k\u1ebb x\u1ea5u c\u00f3 th\u1ec3 ch\u00e8n m\u00e3 \u0111\u1ed9c v\u00e0o n\u1ed9i dung XML \u0111\u01b0\u1ee3c nh\u00fang trong WebPart. Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1, tuy nhi\u00ean m\u00e3 \u0111\u1ecbnh danh CVE c\u1ee5 th\u1ec3 v\u1eabn ch\u01b0a \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1.<\/b><\/p>\n

\n
\"SharePoint.png\"<\/div>\n<\/div>\n

L\u1ed7 h\u1ed5ng xu\u1ea5t ph\u00e1t t\u1eeb c\u00e1ch SharePoint x\u1eed l\u00fd c\u00e1c \u0111i\u1ec1u khi\u1ec3n WebPart ch\u1ee9a n\u1ed9i dung XML. Khi m\u1ed9t WebPart \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o trang, h\u1ec7 th\u1ed1ng s\u1ebd t\u1ef1 \u0111\u1ed9ng ph\u00e2n t\u00edch v\u00e0 gi\u1ea3i tu\u1ea7n t\u1ef1 c\u00e1c thu\u1ed9c t\u00ednh b\u00ean trong. \u0110i\u1ec3m y\u1ebfu n\u1eb1m \u1edf l\u1edbp SPObjectStateFormatter<\/i>, n\u01a1i th\u1ef1c hi\u1ec7n gi\u1ea3i tu\u1ea7n t\u1ef1 d\u1eef li\u1ec7u m\u00e0 kh\u00f4ng gi\u1edbi h\u1ea1n ch\u1eb7t ch\u1ebd ki\u1ec3u \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u01b0\u1ee3c x\u1eed l\u00fd. N\u1ebfu n\u1ed9i dung XML \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c ch\u00e8n v\u00e0o WebPart, h\u1ec7 th\u1ed1ng s\u1ebd v\u00f4 t\u00ecnh k\u00edch ho\u1ea1t m\u1ed9t chu\u1ed7i ph\u01b0\u01a1ng th\u1ee9c d\u1eabn t\u1edbi vi\u1ec7c gi\u1ea3i tu\u1ea7n t\u1ef1 d\u1eef li\u1ec7u kh\u00f4ng an to\u00e0n. \u0110\u00e2y l\u00e0 m\u1eaft x\u00edch then ch\u1ed1t m\u1edf \u0111\u01b0\u1eddng cho k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd tr\u00ean m\u00e1y ch\u1ee7 SharePoint.<\/p>\n

Khi ti\u1ebfp nh\u1eadn m\u1ed9t WebPart, SharePoint s\u1ebd x\u1eed l\u00fd n\u1ed9i dung XML b\u00ean trong b\u1eb1ng c\u00e1ch g\u1ecdi tu\u1ea7n t\u1ef1 c\u00e1c ph\u01b0\u01a1ng th\u1ee9c ph\u00e2n t\u00edch v\u00e0 gi\u1ea3i tu\u1ea7n t\u1ef1. Trong chu\u1ed7i x\u1eed l\u00fd n\u00e0y, c\u00e1c b\u01b0\u1edbc nh\u01b0 DoPostDeserializationTasks<\/i> v\u00e0 \u0111\u1eb7c bi\u1ec7t l\u00e0 GetAttachedProperties \u0111\u00f3ng vai tr\u00f2 then ch\u1ed1t. T\u1ea1i \u0111\u00e2y, thu\u1ed9c t\u00ednh _serializedAttachedPropertiesShared<\/i> \u0111\u01b0\u1ee3c gi\u1ea3i tu\u1ea7n t\u1ef1 th\u00f4ng qua l\u1edbp SPObjectStateFormatter<\/i>. Th\u00e0nh ph\u1ea7n ki\u1ec3m so\u00e1t ki\u1ec3u d\u1eef li\u1ec7u SPSerializationBinder<\/i> cho ph\u00e9p ch\u1ea5p nh\u1eadn m\u1ecdi l\u1edbp \u0111\u01b0\u1ee3c khai b\u00e1o trong danh s\u00e1ch SafeControls. \u0110i\u1ec1u n\u00e0y bao g\u1ed3m c\u1ea3 l\u1edbp SPThemes, m\u1ed9t \u0111\u1ed1i t\u01b0\u1ee3ng c\u00f3 th\u1ec3 th\u1ef1c thi m\u00e3 trong qu\u00e1 tr\u00ecnh kh\u1edfi t\u1ea1o, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n \u0111\u1ec3 k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng.<\/p>\n

L\u1ee3i d\u1ee5ng \u0111i\u1ec3m y\u1ebfu trong qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 t\u1ea1o payload nh\u1ecb ph\u00e2n \u0111\u1ed9c h\u1ea1i, m\u00e3 h\u00f3a d\u01b0\u1edbi d\u1ea1ng Base64 r\u1ed3i nh\u00fang tr\u1ef1c ti\u1ebfp v\u00e0o XML c\u1ee7a WebPart. Khi \u0111\u01b0\u1ee3c g\u1eedi \u0111\u1ebfn m\u00e1y ch\u1ee7 SharePoint qua giao di\u1ec7n SOAP, payload n\u00e0y s\u1ebd bu\u1ed9c h\u1ec7 th\u1ed1ng t\u1ef1 \u0111\u1ed9ng x\u1eed l\u00fd v\u00e0 k\u00edch ho\u1ea1t m\u00e3 \u0111\u1ed9c. Vi\u1ec7c t\u1ea1o payload kh\u00f4ng \u0111\u00f2i h\u1ecfi k\u1ef9 thu\u1eadt cao, ch\u1ec9 c\u1ea7n s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 nh\u01b0 ysoserial \u0111\u1ec3 sinh payload gi\u1ea3 m\u1ea1o d\u01b0\u1edbi d\u1ea1ng DataSet, sau \u0111\u00f3 \u0111i\u1ec1u ch\u1ec9nh \u0111\u1ec3 l\u1ee3i d\u1ee5ng l\u1edbp SPThemes nh\u1eb1m th\u1ef1c thi m\u00e3 t\u1eeb xa.<\/p>\n

C\u00e1c t\u1ed5 ch\u1ee9c \u0111ang s\u1eed d\u1ee5ng SharePoint c\u1ea7n kh\u1ea9n tr\u01b0\u01a1ng tri\u1ec3n khai c\u00e1c b\u1ea3n c\u1eadp nh\u1eadt b\u1ea3o m\u1eadt m\u1edbi nh\u1ea5t, \u0111\u1ed3ng th\u1eddi r\u00e0 so\u00e1t to\u00e0n b\u1ed9 WebPart c\u00f3 kh\u1ea3 n\u0103ng ti\u1ebfp nh\u1eadn n\u1ed9i dung XML t\u1eeb ph\u00eda ng\u01b0\u1eddi d\u00f9ng. V\u1edbi c\u01a1 ch\u1ebf x\u1eed l\u00fd d\u1eef li\u1ec7u thi\u1ebfu ki\u1ec3m so\u00e1t v\u00e0 kh\u1ea3 n\u0103ng b\u1ecb l\u1ee3i d\u1ee5ng \u0111\u1ec3 th\u1ef1c thi m\u00e3 t\u1eeb xa, l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1eb7t ra r\u1ee7i ro nghi\u00eam tr\u1ecdng cho m\u00f4i tr\u01b0\u1eddng n\u1ed9i b\u1ed9. Deserialization t\u1eeb l\u00e2u \u0111\u00e3 l\u00e0 \u0111i\u1ec3m y\u1ebfu quen thu\u1ed9c trong nhi\u1ec1u h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p, v\u00e0 SharePoint m\u1ed9t l\u1ea7n n\u1eefa cho th\u1ea5y v\u00ec sao n\u00f3 c\u1ea7n \u0111\u01b0\u1ee3c gi\u00e1m s\u00e1t ch\u1eb7t ch\u1ebd.<\/p>\n

Theo Cyber Press<\/i><\/b>\u200b<\/div>\n
Theo: https:\/\/whitehat.vn\/threads\/lo-hong-nghiem-trong-trong-sharepoint-cho-phep-thuc-thi-ma-tu-xa-qua-xml-doc-hai.18575\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong Microsoft SharePoint, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 x\u00e1c th\u1ef1c th\u1ef1c thi m\u00e3 t\u1eeb xa b\u1eb1ng c\u00e1ch l\u1ee3i d\u1ee5ng c\u01a1 ch\u1ebf x\u1eed l\u00fd WebPart. V\u1ea5n \u0111\u1ec1 n\u1eb1m \u1edf qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n trong h\u1ec7 th\u1ed1ng, qua \u0111\u00f3 k\u1ebb x\u1ea5u […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10479","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10479"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10479\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}