id: CVE-2020-1147

info:
  name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
  author: dwisiswant0
  severity: critical

  # Ref:
  # - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
  # - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

requests:
  - method: GET
    path:
      - "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "List does not exist"
          - "It may have been deleted by another user"
        part: body
        condition: and
      - type: word
        words:
          - "Microsoft-IIS"
          - "X-SharePointHealthScore"
          - "SharePointError"
          - "SPRequestGuid"
          - "MicrosoftSharePointTeamServices"
        condition: or
        part: header
      - type: status
        status:
          - 200