Sharepoint Website Information disclosure and can make it to RCE(unfortunately i couldn’t)

This is the bug I have found in some vdp program and they really don’t have time to reply back i guess so posting the vulnerability details will be useful.

First if you are taking any target keep in mind that you have to content discovery, you can use tools like dirb, dirsearch and gobuster

My personal fav tool is dirb because its easy to use. I ran dirb on my target https://redacted.com which is running on sharepoint framework

I found out
https://www.redacted.com/_vti_bin/_vti_adm/admin.dll
https://www.redacted.com/_vti_bin/shtml.dll/_vti_rpc

the information about sharepoint https://www.redacted.com/_vti_inf.html

There is a exploitation research paper on the same services
from the blackhat and they also developed a tool called sparty to
further exploit it.

Without login to the admin module , we can retrieve the services
running using the sparty tool

Command: python sparty_v_0.1.py -i services -u http://www.redacted.com/

You can see all the webservice endpoints which contain some sensitive information

http://www.redacted.com/_vti_bin/spsearch.asmx?op=Query

you can make this to RCE but unfortunately in this site case I could not able to but may be you can check out the below link

Mitigation: Place ACL’s to the dll’s of the sharepoint . And also
forbid all the folder /_vti_bin/_vti_adm/admin.dll