module
Microsoft SharePoint Server-Side Include and ViewState RCE
| Disclosed |
|---|
| 2020-10-13 |
Disclosed
2020-10-13
Description
This module exploits a server-side include (SSI) in SharePoint to leak
the web.config file and forge a malicious ViewState with the extracted
validation key.
This exploit is authenticated and requires a user with page creation
privileges, which is a standard permission in SharePoint.
The web.config file will be stored in loot once retrieved, and the
VALIDATION_KEY option can be set to short-circuit the SSI and trigger
the ViewState deserialization.
Tested against SharePoint 2019 on Windows Server 2016.
the web.config file and forge a malicious ViewState with the extracted
validation key.
This exploit is authenticated and requires a user with page creation
privileges, which is a standard permission in SharePoint.
The web.config file will be stored in loot once retrieved, and the
VALIDATION_KEY option can be set to short-circuit the SSI and trigger
the ViewState deserialization.
Tested against SharePoint 2019 on Windows Server 2016.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.