Robbie Wiggins 3 Posted December 19, 2019 (edited) Any one got a way to fingerprint a vuln site loads error out when hitting the right endpoint and one or two are blank. Sorry, something went wrong Could not load type 'Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog' from assembly 'Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'. Technical Details Any one able to confirm? Endpoint to hit should be /_layouts/15/picker.aspx?PickerDialogType=Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog Edited December 19, 2019 by Robbie Wiggins Share this post Link to post
Kevin Beaumont 111 Posted February 12, 2020 (edited) So I saw some exploitation of this in wild yesterday, looks like: Quote GET /_layouts/15/Picker.aspx - 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 359 GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 312 POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 1312 GET /_layouts/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 46 GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 374 GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 31 GET /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 281 GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 421 GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 578 POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 468 GET /_layouts/15/downloadexternaldata.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 10578 POST /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 8984 GET /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 93 POST /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 124 Obviously the POST statements aren't there. Triggers code execution like this: Edited February 12, 2020 by Kevin Beaumont image didn't embed Share this post Link to post