bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/52349.txt
Exploit-DB 83f6bce1ba DB: 2025-07-03 
5 changes to exploits/shellcodes/ghdb

gogs 0.13.0 - Remote Code Execution (RCE)

Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution  (RCE)

Moodle 4.4.0 - Authenticated Remote Code Execution

Microsoft SharePoint 2019 - NTLM Authentication
2025-07-03 00:16:29 +00:00

57 lines
No EOL
1.9 KiB
Text
Raw Permalink Blame History

# Titles: Microsoft SharePoint 2019 NTLM Authentication
# Author: nu11secur1ty
# Date: 06/27/25
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462
# Reference:
https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan
## Description:
Microsoft SharePoint Central Administration improperly exposes
NTLM-authenticated endpoints to low-privileged or even brute-forced domain
accounts. Once authenticated, an attacker can access the `_api/web`
endpoint, disclosing rich metadata about the SharePoint site, including
user group relationships, workflow configurations, and file system
structures. The vulnerability enables username and password enumeration,
internal structure mapping, and API abuse.
Key issues include:
- NTLM over HTTP (unencrypted)
- No fine-grained access control on `_api/web`
- NTLM error codes act as oracles for credential validation
STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit:
```
# NTLM Authentication + SharePoint Enumeration Tool Usage:
python ntml.py -u http://10.10.0.15:10626 -U 'CORP\spfarm' -P 'p@ssw0rd'
-v
# Success output (highlight):
[+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web
# Result: Full SharePoint metadata dump from the Central Admin instance
```
# Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC)
# Time spent:
72:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Reference in a new issue View git blame Copy permalink