Broken Access Control lead to Full access to all Company Customers,users ,infrastructure ,contacts,employees sensitive information names emails phones even password in some cases for admins and servers and QueryBuilder wich can used to export sensitive data
all thats started whene i was doing recon for *.company.eu, and i got a file in a documentation file refer to sharepoint host thats for Company storage, i try to access it with my credentiels than it access
companycloud.sharepoint.com
than i start searching for any information i could use it for get access to other services than i find all this resources thats its all sensitive informations

1/ the companycloud.sharepoint.com has a lotsof important and sensitive sites inside it

AdminFiles
PrivateFiles

lets start with the query builder you could search for query builder and click on it and you will have access to the form interface thats you could build a query
chose a list (in this case we have more than 20 list)
i chosed the (User Information List) and add coulmn you want to see i chosed just for POC

Name
Email
UserName
WorkPhone

and i get all users in the database (More than 7000 user) you can access to the XML result from here
https://companycloud.sharepoint.com/sites/*******/items?$select=Name%2CEMail%2CUserName%2CWorkPhone&$top=10000

thats hust POC you can use any of the other 20 list other than (User Information List) and any of the columns

the sharepoint has a lot of sensitive information about internal employees and infrastructure and backups and customers and users
in this repport i give you just a POC of how sensitive is thats, but if a hacker have access to this sort of information be sure thats will retuen in a catastrophic impact on all the company.
https://app.intigriti.com/profile/merroun