# Sharepoint

Microsoft SharePoint security testing - enumeration, API misconfigurations, and exploitation.

## Enumeration

### Discovery

```bash
# Common SharePoint URLs to check
/_layouts/15/viewlsts.aspx
/_layouts/15/settings.aspx
/_api/web/lists
/_api/web/webs
/_api/web/siteusers
/_api/web/currentuser
/_vti_bin/client.svc
/_vti_bin/spdisco.aspx
/sites/
/_catalogs/

# Check version
/_api/web/
# Look for "MajorVersion" and "MinorVersion" in response

# SharePoint Online detection
/_layouts/15/authenticate.aspx
/personal/  # OneDrive personal sites
```

### User Enumeration

```bash
# Get all site users (if accessible)
curl "https://sharepoint.target.com/_api/web/siteusers" \
  -H "Accept: application/json;odata=verbose"

# Get specific user info
curl "https://sharepoint.target.com/_api/web/siteusers(@v)?@v='i:0%23.f|membership|user@target.com'" \
  -H "Accept: application/json"

# Current user
curl "https://sharepoint.target.com/_api/web/currentuser" \
  -H "Accept: application/json"
```

### List Enumeration

```bash
# Get all lists
curl "https://sharepoint.target.com/_api/web/lists" \
  -H "Accept: application/json"

# Get items from a list
curl "https://sharepoint.target.com/_api/web/lists/getbytitle('Documents')/items" \
  -H "Accept: application/json"

# Get list by GUID
curl "https://sharepoint.target.com/_api/web/lists(guid'LIST-GUID-HERE')/items"
```

## API Misconfigurations

### Exposed REST API

```bash
# Anonymous access to site data
curl "https://sharepoint.target.com/_api/web" -H "Accept: application/json"

# List all subsites
curl "https://sharepoint.target.com/_api/web/webs" -H "Accept: application/json"

# Search API (often exposed)
curl "https://sharepoint.target.com/_api/search/query?querytext='password'" \
  -H "Accept: application/json"
```

### Permission Issues

```bash
# Check permissions
curl "https://sharepoint.target.com/_api/web/effectivebasepermissions" \
  -H "Accept: application/json"

# Check if anonymous access enabled
curl "https://sharepoint.target.com/_api/web/AnonymousAccess"
```

### OData Query Exploitation

```bash
# Filter sensitive data
/_api/web/lists/getbytitle('Users')/items?$filter=Title eq 'admin'

# Select specific fields
/_api/web/lists/getbytitle('Config')/items?$select=Password,ApiKey

# Expand related data
/_api/web/lists/getbytitle('Documents')/items?$expand=File
```

## Common Vulnerabilities

### CVE-2019-0604 (RCE)

```bash
# Affects SharePoint 2010, 2013, 2016, 2019
# Deserialization vulnerability in EntityInstanceIdEncoder

# Detection
curl "https://sharepoint.target.com/_layouts/15/Picker.aspx"

# Exploit requires crafted ASPX page upload
# https://github.com/AhmedMohamedDev/CVE-2019-0604
```

### CVE-2020-0646 (RCE via .NET)

```bash
# .NET deserialization in SharePoint
# Check for vulnerable endpoints accepting XML/SOAP
```

### CVE-2020-16952 (RCE)

```bash
# Affects SharePoint 2013, 2016, 2019
# Remote code execution via malicious document

# Detection - check version and patch level
```

### CVE-2023-29357 (Privilege Escalation)

```bash
# JWT token bypass in SharePoint Server 2019
# Allows authentication bypass

# Check if patch KB5002402 installed
```

## File Access

### Direct File Access

```bash
# Download files
curl "https://sharepoint.target.com/sites/documents/Shared%20Documents/sensitive.docx" -o file.docx

# Access via API
curl "https://sharepoint.target.com/_api/web/getfilebyserverrelativeurl('/sites/documents/file.docx')/$value" -o file.docx
```

### Exposed Directories

```bash
# Common sensitive locations
/sites/IT/
/sites/HR/
/sites/Finance/
/Shared Documents/
/_catalogs/masterpage/
/Style Library/
```

## Authentication Attacks

### NTLM Relay

```bash
# SharePoint often uses NTLM
# Use responder/ntlmrelayx for relay attacks

# Check for NTLM
curl -v https://sharepoint.target.com 2>&1 | grep -i "WWW-Authenticate: NTLM"
```

### Forms Authentication

```bash
# SharePoint Online / ADFS
# Get authentication cookie
curl -X POST "https://login.microsoftonline.com/GetUserRealm.srf" \
  -d "login=user@target.com"
```

## Tools

```bash
# SharePoint enumeration
# https://github.com/AhmedMohamedDev/SPartan
python3 spartan.py -u https://sharepoint.target.com

# https://github.com/AhmedMohamedDev/sharepwn
python3 sharepwn.py -t https://sharepoint.target.com

# Nuclei templates
nuclei -t http/technologies/microsoft/sharepoint* -u https://sharepoint.target.com

# Fuzz endpoints
ffuf -w /usr/share/seclists/Discovery/Web-Content/sharepoint.txt \
  -u https://sharepoint.target.com/FUZZ
```

## References

* [The Lone SharePoint](https://www.crummie5.club/the-lone-sharepoint/)
* [SharePoint API Misconfigurations](https://medium.com/@ujmalhotra95/tales-of-sharepoint-api-misconfigurations-11073ad384fd)

## Related Topics

* [Windows AD](/post-exploitation/windows/ad.md) - SharePoint often integrated with AD
* [SSRF](/enumeration/web/ssrf.md) - SharePoint endpoints can be SSRF targets


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/enumeration/webservices/sharepoint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.