Sharepoint Website Information disclosure and can make it to RCE(unfortunately i couldn’t)
This is the bug I have found in some vdp program and they really don’t have time to reply back i guess so posting the vulnerability details will be useful.
First if you are taking any target keep in mind that you have to content discovery, you can use tools like dirb, dirsearch and gobuster
My personal fav tool is dirb because its easy to use. I ran dirb on my target https://redacted.com which is running on sharepoint framework
There is a exploitation research paper on the same services
from the blackhat and they also developed a tool called sparty to
further exploit it.
Without login to the admin module , we can retrieve the services
running using the sparty tool
You can see all the webservice endpoints which contain some sensitive information
you can make this to RCE but unfortunately in this site case I could not able to but may be you can check out the below link
Mitigation: Place ACL’s to the dll’s of the sharepoint . And also
forbid all the folder /_vti_bin/_vti_adm/admin.dll