id: CVE-2020-16952

info:
  name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
  author: dwisiswant0
  severity: critical
  description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.
  reference:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
    - https://srcincite.io/pocs/cve-2020-16952.py.txt
    - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
  tags: cve,cve2020,sharepoint,iis

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "15\\.0\\.0\\.(4571|5275|4351|5056)"
          - "16\\.0\\.0\\.(10337|10364|10366)"
          # - "16.0.10364.20001"
        condition: or
        part: body
      - type: word
        words:
          - "MicrosoftSharePointTeamServices"
        part: header
      - type: status
        status:
          - 200
          - 201
        condition: or