Rapid7 Vulnerability & Exploit Database

Microsoft SharePoint Server-Side Include and ViewState RCE

Back to Search

Microsoft SharePoint Server-Side Include and ViewState RCE



This module exploits a server-side include (SSI) in SharePoint to leak the web.config file and forge a malicious ViewState with the extracted validation key. This exploit is authenticated and requires a user with page creation privileges, which is a standard permission in SharePoint. The web.config file will be stored in loot once retrieved, and the VALIDATION_KEY option can be set to short-circuit the SSI and trigger the ViewState deserialization. Tested against SharePoint 2019 on Windows Server 2016.


  • mr_me
  • wvu <wvu@metasploit.com>




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/sharepoint_ssi_viewstate
msf exploit(sharepoint_ssi_viewstate) > show targets
msf exploit(sharepoint_ssi_viewstate) > set TARGET < target-id >
msf exploit(sharepoint_ssi_viewstate) > show options
    ...show and set options...
msf exploit(sharepoint_ssi_viewstate) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security