puzzlepeaches · August 3, 2024 12:07
diff --git a/combo.yaml b/combo.yaml
 id: o365-tenant-name-and-user-enum

 # Current use: nuclei -t combo.yaml -u acme.com 
 # Intended use: nuclei -t combo.yaml -u acme.com -var userlist=jsmith.txt
 info:
  name: Office 365 Tenant Name Discovery and User Enumeration
  author: ed 
  severity: info
  description: Discovers the tenant name for a given Office 365 domain and then enumerates users in the target tenant's OneDrive.

 # Pre-define the userlist for ideally modification via -var userlist=jsmith.txt when running nuclei [BROKEN]
 variables:
  userlist: usernames.txt

 flow: |
  http(1)
  if (template["tenant_name"]) {
    set("tenant_name", template["tenant_name"]);
    http(2)
  }

 http:
  - method: POST
    path:
      - "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc"
    headers:
      Content-Type: text/xml; charset=utf-8
      SOAPAction: http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation
      User-Agent: AutodiscoverClient
      Accept-Encoding: identity
    body: |
      <?xml version="1.0" encoding="utf-8"?>
      <soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
          <soap:Header>
              <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
              <a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
              <a:ReplyTo>
                  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
              </a:ReplyTo>
          </soap:Header>
          <soap:Body>
              <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
                  <Request>
                      <Domain>{{Host}}</Domain>
                  </Request>
              </GetFederationInformationRequestMessage>
          </soap:Body>
      </soap:Envelope>
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
    extractors:
      - type: regex
        name: tenant_name
        part: body
        regex:
          - '(?i)<Domain>([^<>/.]+)\.onmicrosoft\.com</Domain>'
        internal: true 
        group: 1

  - method: GET 
    path:
      - "https://{{tenant_name}}-my.sharepoint.com/personal/{{replace(user, '.', '_')}}_{{replace(Host, '.', '_')}}/_layouts/15/onedrive.aspx"
    redirects: false 

    attack: batteringram
    payloads:
      # BROKEN
      user: "{{userlist}}"

    headers:
      # Refuses to take anything but the curl user-agent???
      User-Agent: "curl/7.64.1"
      Accept: "*/*"
      Host: "{{tenant_name}}-my.sharepoint.com"
    matchers-condition: or 
    matchers:
      - type: status
        status:
          - 401
          - 403
	id: o365-tenant-name-and-user-enum

	# Current use: nuclei -t combo.yaml -u acme.com
	# Intended use: nuclei -t combo.yaml -u acme.com -var userlist=jsmith.txt
	info:
	name: Office 365 Tenant Name Discovery and User Enumeration
	author: ed
	severity: info
	description: Discovers the tenant name for a given Office 365 domain and then enumerates users in the target tenant's OneDrive.

	# Pre-define the userlist for ideally modification via -var userlist=jsmith.txt when running nuclei [BROKEN]
	variables:
	userlist: usernames.txt

	flow: \|
	http(1)
	if (template["tenant_name"]) {
	set("tenant_name", template["tenant_name"]);
	http(2)
	}

	http:
	- method: POST
	path:
	- "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc"
	headers:
	Content-Type: text/xml; charset=utf-8
	SOAPAction: http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation
	User-Agent: AutodiscoverClient
	Accept-Encoding: identity
	body: \|
	<?xml version="1.0" encoding="utf-8"?>
	<soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<soap:Header>
	<a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
	<a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
	<a:ReplyTo>
	<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
	</a:ReplyTo>
	</soap:Header>
	<soap:Body>
	<GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
	<Request>
	<Domain>{{Host}}</Domain>
	</Request>
	</GetFederationInformationRequestMessage>
	</soap:Body>
	</soap:Envelope>
	matchers-condition: and
	matchers:
	- type: status
	status:
	- 200
	extractors:
	- type: regex
	name: tenant_name
	part: body
	regex:
	- '(?i)<Domain>([^<>/.]+)\.onmicrosoft\.com</Domain>'
	internal: true
	group: 1

	- method: GET
	path:
	- "https://{{tenant_name}}-my.sharepoint.com/personal/{{replace(user, '.', '_')}}_{{replace(Host, '.', '_')}}/_layouts/15/onedrive.aspx"
	redirects: false

	attack: batteringram
	payloads:
	# BROKEN
	user: "{{userlist}}"

	headers:
	# Refuses to take anything but the curl user-agent???
	User-Agent: "curl/7.64.1"
	Accept: "/"
	Host: "{{tenant_name}}-my.sharepoint.com"
	matchers-condition: or
	matchers:
	- type: status
	status:
	- 401
	- 403