Hunt SharePoint

Enumerate and assess on-prem Microsoft SharePoint servers for version disclosure, anonymous endpoints, legacy SOAP login abuse, ToolShell preconditions (CVE-202

triggers:sharepoint_layouts/15_vti_binauthentication.asmxtoolpanecontextinfopicker.aspxeol sp2013

GitHub SKILL.md

What it does

Hunt SharePoint adds a structured methodology to discover and triage vulnerable on-prem SharePoint farms (SP2013/2016/2019/SPE). It provides fingerprinting checks, anonymous endpoint probes, legacy SOAP Authentication.asmx tests, ToolPane/ToolShell precondition verification, SafeControl enumeration via Picker.aspx, NTLM Type-2 topology disclosure, and guidance on what constitutes a true finding versus noise. The skill focuses on reconnaissance and precondition validation (not active exploitation): collection of version/build, detection of anonymous FormDigest issuance, unencrypted ViewState markers, and legacy SOAP login surfaces.

When to use it

Use this skill during external scans, bug-bounty triage, or red-team reconnaissance when you see SharePoint-specific headers or paths (/_layouts/15/, /_vti_bin/, /_api/, /_vti_inf.html). It is particularly useful against suspected EoL SP2013 farms, custom-branded portals, or public-facing intranet mirrors where anonymous endpoints may expose high-value attack primitives.

What's included

Scripts: none bundled in-skill (procedural curl/python examples are detailed in the SKILL.md body).
References: methodology, vulnerability cross-references (ToolShell CVE-2025-53770, NTLM AV-pair decoding, Picker.aspx SafeControl enumeration).
Instructions: step-by-step probes for version fingerprinting, anonymous /_api/contextinfo POST, ToolPane precondition chain (GET ToolPane, POST contextinfo, POST ToolPane with digest), Authentication.asmx Mode/Login checks, and SafeControl class existence checks via Picker.aspx.

Compatible agents

Best used by agents with HTTP tooling and scripting ability (curl/python) such as Claude Code or any agent that can run small shell/python probes.

Not yet audited

This skill has not been reviewed by our automated audit pipeline yet.

Information

Repository: claude-bughunter
Stars: 2,450
Installs: 0

More from claude-bughunter

Bug Bounty Methodology

A five-phase bug-hunting workflow and critical-thinking playbook that orients security hunting sessions, maps steps from recon to report, and enforces quality g

Hunt SSRF

Guided hunting methodology for server-side request forgery (SSRF): detection, OOB validation, payloads, bypass techniques, and escalation chains.

Related Skills

Bounty Hunter — Atlas

Persona skill: 'Atlas' — a profit-focused developer persona for discovering, evaluating and executing paid bounties or freelance tasks with ROI-aware workflows.

Reverse Engineer

Provides step-by-step guidance and best practices for binary reverse engineering: static analysis, dynamic tracing, disassembly, and documentation workflows for

Sandbox0 Integration

Guidance and templates for integrating Sandbox0 sandboxing into AI agents — CLI/SDK patterns, templates, volumes, network policy, and deployment choices.

CTF Write-up Generator

Generate a concise, reproducible submission-style CTF writeup with a one-path solution script, metadata, and a short checklist for fast verification.

Azure External Attack Surface Management

Provides expert guidance for Azure External Attack Surface Management (EASM): quotas, configuration, integrations, and exporting inventory to analytics platform

Node.js Best Practices

Guidelines and decision-making for Node.js architecture, runtime, async patterns, security, validation, and testing to inform framework and system choices.

radar — Smart Contract AST & Security Analysis

Multi-framework AST generator and static analysis tool for smart contracts (Rust/Anchor/Stylus and Solidity/Foundry) with a template DSL for writing detection r

Bash Pro

Defensive, production-grade Bash scripting patterns and CI/CD best practices: strict mode, safe argument parsing, testing with Bats, and tooling (ShellCheck/shf

Back to Skills