Sharepoint Website Information disclosure and can make it to RCE(unfortunately i couldn’t)

This is the bug I have found in some vdp program and they really don’t have time to reply back i guess so posting the vulnerability details will be useful.

First if you are taking any target keep in mind that you have to content discovery, you can use tools like dirb, dirsearch and gobuster

My personal fav tool is dirb because its easy to use. I ran dirb on my target which is running on sharepoint framework

I found out

the information about sharepoint

There is a exploitation research paper on the same services
from the blackhat and they also developed a tool called sparty to
further exploit it.

Without login to the admin module , we can retrieve the services
running using the sparty tool

Command: python -i services -u

You can see all the webservice endpoints which contain some sensitive information

you can make this to RCE but unfortunately in this site case I could not able to but may be you can check out the below link

Mitigation: Place ACL’s to the dll’s of the sharepoint . And also
forbid all the folder /_vti_bin/_vti_adm/admin.dll



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
gayatri r

gayatri r

#infosec enthusiast, pentester