Post [6] SharePoint
Misconfigured SharePoint can be *really* useful. Examples of things you can do with it are:
- User/Domain Enumeration
- Access to useful files
We regularly find awesome stuff once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.
LOW?
Finding SharePoint servers
random targets...lots of interesting things can be found with google dorks.
If you need to look at specific servers:
Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt
Examples of open access
If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html
Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29
Great points on the repercussions of low vulns. I think most low vulns get overlooked unless it is explained in the bigger picture. Yes it's only enumeration, but look at what that can lead to... My personal favourites for "low" risk vulnerabilities are clickjacking and CSRF. For example: http://trotmaster.blogspot.com/2012/05/csrf-improving-basic-attack.html
ReplyDeleteYour posts are always useful and to the point.
ReplyDeleteThose low vulns are fantastic when meet critical ones.....
for example if you find a stored XSS in SharePoint it's fun to perform privilege escalation via those exposed WebServices...
that's a tiny POC... https://github.com/marcotinari/POCs/blob/master/PrivilegeEscalationPOC_CSSplusUSEFULFILE.aspx
Thanks for your great blog!!