Monday, May 7, 2012

From LOW to PWNED [6] SharePoint



Post [6] SharePoint

Misconfigured SharePoint  can be *really* useful. Examples of things you can do with it are:
  • User/Domain Enumeration
  • Access to useful files
Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.


We regularly find awesome stuff  once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.

LOW?


Finding SharePoint servers

random targets...lots of interesting things can be found with google dorks.


If you need to look at specific servers:

Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt


Examples of open access



If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html


Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29




CG

2 comments:

trotmaster said...

Great points on the repercussions of low vulns. I think most low vulns get overlooked unless it is explained in the bigger picture. Yes it's only enumeration, but look at what that can lead to... My personal favourites for "low" risk vulnerabilities are clickjacking and CSRF. For example: http://trotmaster.blogspot.com/2012/05/csrf-improving-basic-attack.html

marcotinari said...

Your posts are always useful and to the point.
Those low vulns are fantastic when meet critical ones.....
for example if you find a stored XSS in SharePoint it's fun to perform privilege escalation via those exposed WebServices...
that's a tiny POC... https://github.com/marcotinari/POCs/blob/master/PrivilegeEscalationPOC_CSSplusUSEFULFILE.aspx

Thanks for your great blog!!