Proof OF Concept (POC): SharePoint Vulnerability Detection

This repository contains a step-by-step guide to identify SharePoint installations and validate vulnerabilities. The goal is to automate the process of finding vulnerable SharePoint instances and testing them for potential security issues.

⌛ Requirements

Tools:

🔍 Steps

1. Find Target Subdomains

Use subfinder to enumerate subdomains of the target domain. Save the output to a file for further processing.

subfinder -d target.com -o subdomain_targets.txt

2. Identify Active SharePoint Instances

Use httpx to check for live hosts and store potential SharePoint candidates.

httpx -l subdomain_targets.txt -o active_sharepoints.txt

3. Detect SharePoint Technology

Run nuclei to confirm if the hosts in the list use SharePoint.

nuclei -l active_sharepoints.txt -t Exposed-Sharepoint.yaml

4. Validate Vulnerability

Retrieve the lists.wsdl file to check for potential vulnerabilities in SharePoint services.

wget "https://example.sharepoint.com/_vti_bin/lists.asmx?WSDL" -O lists.wsdl
cat lists.wsdl

You can also view FrontPage Configuration Information via (_vti_inf.html)

📝 Alternative Methods to Identify SharePoint Sites

Using Search Engines

FOFA: Query: header="MicrosoftSharePointTeamServices"
Shodan: Query: http.title:"Microsoft SharePoint"
ZoomEye: Query: app:"Microsoft-SharePoint"

⭐ References

Here are real-world examples of SharePoint vulnerabilities reported on HackerOne :

🔨 How to Fix it :

Here’s a brief summary of how to mitigate the vulnerability of exposed SharePoint sensitive endpoints :

✅ Restrict Access to Sensitive Endpoints :

Implement strict access control and role-based authentication (RBAC) to limit who can access endpoints like lists.asmx, sitedata.asmx, etc.
Use strong authentication methods (e.g., MFA).

✅ Disable Unused Endpoints:

Disable or remove unnecessary endpoints like lists.asmx, usergroup.asmx, etc., if not required.
Disable WSDL if not needed to prevent exposing service structure.

✅ Secure Documents and Directories:

Apply access controls on document libraries (e.g., /Shared%20Documents/), ensuring only authorized users can view them.
Regularly audit document access and modifications.

✅ Patch and Update SharePoint :

Keep SharePoint up-to-date with the latest security patches.
Follow best configuration practices for securing the SharePoint environment.

✅ Use a Web Application Firewall (WAF) : Implement a WAF to filter and protect SharePoint endpoints from malicious traffic.

✅ Encrypt Data : Ensure data in transit and at rest is encrypted using HTTPS and proper file encryption.

✅ Monitor and Audit :

Regularly audit access logs for suspicious activity.
Use monitoring tools like Microsoft Sentinel or Splunk to detect threats.

✅ Server-Level Security : Secure the network and the IIS server hosting SharePoint, using firewalls, VPNs, and proper server configurations to prevent unauthorized access.

By implementing these steps, you can reduce the exposure of sensitive SharePoint endpoints and improve overall security.

⚠️ Disclaimer

This repository is intended for educational purposes only. Use of these exploits on systems or websites without explicit permission is illegal and unethical. The creator is not responsible for any misuse of this information.

💰 Support Me

If you find this work helpful, you can support me:

Thanks for your support! ❤️

PreviousSSRF NextTemplate Injection

Last updated 1 month ago