Microsoft SharePoint Server JWT Spoofing Privilege Escalation

Single-file Python exploit targeting Microsoft SharePoint CVE-2023-29357. The repository contains one operational script, exploit.py, which supports both single-target exploitation and multi-target scanning. The script uses requests sessions, optional threading via ThreadPoolExecutor, progress display via alive_progress, rich console output, and optional LeakIX discovery through leakpy. Core logic is implemented in a SharePoint class: it normalizes the target URL, extracts the hostname, requests /_api/web/siteusers with an empty Bearer token to force a 401 response, parses the WWW-Authenticate header to recover the SharePoint realm, and constructs an audience value using the fixed SharePoint client ID 00000003-0000-0ff1-ce00-000000000000. It then forges unsigned JWT-like tokens using alg:none and claims consistent with the CVE-2023-29357 proof-token bypass technique. These tokens are sent in both Authorization and X-PROOF_TOKEN headers to /_api/web/currentuser to verify impersonation. The visible code shows explicit support for spoofing admin users by iterating over discovered user records and attempting authenticated requests as each one. The script is more than a detector because it actively crafts bypass tokens and attempts authenticated API access; however, it is not heavily weaponized beyond hardcoded token structure and basic scanning workflow. Notable observables include the local proxy http://127.0.0.1:8080, SharePoint REST paths /_api/web/siteusers and /_api/web/currentuser, and output file output.txt. Overall purpose: identify and exploit vulnerable SharePoint instances at scale for authentication bypass and user impersonation.

This repository contains a Python proof-of-concept exploit for CVE-2023-29357, a privilege escalation vulnerability in Microsoft SharePoint Server. The main file, 'exploit.py', allows an attacker to impersonate admin users by exploiting an authentication bypass. The script works by first retrieving the SharePoint realm from the '/_api/web/siteusers' endpoint, then crafting a JWT token with 'alg':'none' to spoof admin users and access the '/_api/web/currentuser' endpoint as those users. The script outputs details of admin users with elevated privileges. It supports single-target and mass exploitation modes, including integration with LeakIX for bulk testing (requiring a Pro API key). The repository also includes a 'requirements.txt' for dependencies and a detailed 'README.md' with usage instructions. No RCE or post-exploitation payloads are included; the exploit is focused on privilege escalation and user impersonation. The attack vector is network-based, targeting accessible SharePoint web interfaces.

This repository is a C# proof-of-concept exploit for CVE-2023-29357, a pre-authentication privilege escalation vulnerability in Microsoft SharePoint. The main exploit logic is implemented in 'CVE-2023-29357/Program.cs', which is a console application targeting .NET Framework 4.7.2. The exploit works by first making an unauthenticated request to the SharePoint REST API endpoint '/_api/web/siteusers' to extract the authentication 'realm' from the response headers. It then forges JWT tokens with 'alg':'none' and custom claims, allowing the attacker to impersonate any user, including site administrators. These tokens are used in subsequent requests to endpoints such as '/_api/web/currentuser' to verify successful impersonation. The repository includes project and configuration files for building the exploit, as well as a README with usage instructions and references. No hardcoded IPs or domains are present; the target SharePoint URL is provided as a command-line argument. The exploit is a functional PoC and does not include weaponized payloads beyond authentication bypass and user impersonation.