Sharepoint Document Extractor #19966
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This module enumerates and extracts documents from a SharePoint library using the .NET API, with support for HTTP or Meterpreter exfiltration. Includes error handling, size filters, and loot integration for gathered files
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
msutovsky-r7
requested changes
Mar 18, 2025
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
- Inlined metadata into for readability per @msutovsky-r7. - Updated 'Arch' to support x86 and x64 per @msutovsky-r7. - Replaced EXFIL_HOST check with datastore condition per @msutovsky-r7. - Switched to and from PowerShell mixin API per @msutovsky-r7. - Simplified output processing with and . - Reduced (23->9 lines) and (12->5 lines) for RuboCop. - Fixed line length in (135->100 chars) for RuboCop. - Class length ~130 lines remains due to embedded C#; justified in PR.
smcintyre-r7
requested changes
Mar 20, 2025
Comment on lines
+24
to
+33
|
|
||
| <!-- ## Verification Steps --> | ||
|
|
||
| 1. **Install SharePoint:** | ||
| - Set up SharePoint Server on a Windows VM as described above. | ||
| - Upload test files (e.g., `test.pdf`, `doc1.docx`) to the “Documents” library. | ||
| 2. **Start `msfconsole`:** | ||
|
|
||
| msfconsole | ||
| Load the Module: |
There was a problem hiding this comment.
The formatting from about here until the document ends is not exactly well-structured markdown.
The document should follow our standard template. There's an msftidy_docs.rb file that should also be run on the docs page to identify common issues. You should also be careful to note that different markdown rendering engines will show things slightly differently. We should ensure that the one used by Metasploit when msfconsole's info -d command is run will display the content correctly.
Co-authored-by: Spencer McIntyre <[email protected]>
- Replaced stability/side effect constants with string literals ('crash-safe', etc.) in 'Notes' to fix STABILITY_CRASH_SAFE error.
- Removed unnecessary Msf::Module::Stability and Msf::Module::SideEffects includes.
- Retained top-level RubyDoc comment for Style/Documentation compliance.
- Kept inlined metadata, base64-encoded file names, and other @smcintyre-r7 feedback fixes.
- Class length ~130 lines remains due to embedded C# and PowerShell, justified in PR.
…kramvermahsoft/metasploit-framework-sharepoint-payload into sharepoint-document-extractor
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module enumerates and extracts documents from a specified SharePoint library using the SharePoint .NET API. Designed to run in an existing Windows session (e.g., Meterpreter or shell) on a SharePoint server, it supports two exfiltration methods—HTTP (to an attacker-controlled server) or Meterpreter (via base64-encoded output stored as loot). It includes configurable options for the target site URL, library name, exfiltration method, and maximum file size, along with robust error handling for library access and file processing. This tool is ideal for penetration testers targeting enterprise environments where SharePoint stores sensitive documents, such as in DoD or corporate networks.
Functionality
Queries the SharePoint API to list and retrieve documents from a specified library.
Filters files by size to avoid memory issues or detection.
Exfiltrates documents via HTTP POST or Meterpreter, saving them as loot with metadata.
Provides detailed status output (e.g., successes, skips, errors) for user feedback.
Tested On
Windows Server 2016 with SharePoint Server 2016
Meterpreter session generated via windows/meterpreter/reverse_tcp
Successfully extracted multiple test files (PDFs, DOCX) under 10MB from the "Documents" library
Verified compatibility with HTTP exfiltration to a Python http.server listener
References
SharePoint .NET API Documentation
Inspired by general SharePoint security research; no direct CVE dependency
Checklist
Tested locally in msfconsole with reload_all and successful execution
Passes tools/dev/msftidy.rb with no errors or warnings (fixed superclass, removed redundant require, corrected check codes, converted to Unix EOLs)
Passes bundle exec rubocop with no offenses (added Notes section per guidelines)
Includes comprehensive metadata (Name, Description, Author, Notes, etc.)
No malicious code; designed for ethical penetration testing use only
Notes
Stability: STABILITY_CRASH_SAFE—uses native SharePoint APIs, unlikely to crash the server.
Reliability: RELIABILITY_REPEATABLE_SESSION—consistent results given proper permissions and SharePoint access.
Side Effects: SIDE_EFFECTS_NETWORK_TRAFFIC—HTTP exfiltration generates network activity; Meterpreter mode is cleaner.