Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

According to Microsoft, "empowers teamwork with dynamic and productive team sites for every project team". Regardless, Sharepoint is an important aspect of many companies and access to the material on the server is a big deal.

By default, authenticated SharePoint users can create sites/subsites and will have all necessary permissions. In order to prevent malicious things from happening on the server with this permission, the web.config has many different permissions that are dnied for being unsafe and are not allowed.

The security issue exists due to an age old problem: inconsistency between verification and processing. In fact, there is only a ONE line difference between the two: text4 = HttpUtility.HtmlDecode(text4);. If the verification step does not match the run time exactly, it may be possible to bypass the security controls.

There is parsing done to ensure that only allowlisted tags can be used with the runat="server" is used. However, by HTML encoding this attribute, we can bypass the verification step entirely. This works because the verification does NOT HTML decode but the runtime does.

To exploit this vulnerability to the fullest extent is abuse known denylisted functions. For instance, calling System.Web.UI.WebControls.Xml to exfiltrate the machineKey from the web.config.

The full exploit exfiltrates the machine key, which allows for the crafting of a bad ViewState. When this gets deserialized by the server, we get easy code execution. A shell has been popped on Sharepoint, but does require SPBasePermissions.ManageLists permission in order to do.