Sitecore 8.x – Deserialization Remote Code Execution

Exploit Database
117 阅读

作者： Jarad Kopf

日期： 2019-06-13
类别：
- webapps
平台：
- aspx
来源：https://www.exploit-db.com/exploits/46987/

# Exploit Title: Sitecore v 8.x Deserialization RCE
# Date: Reported to vendor October 2018, fix released April 2019.
# Exploit Author: Jarad Kopf
# Vendor Homepage: https://www.sitecore.com/
# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
# Version: Sitecore 8.0 Revision 150802
# Tested on: Windows
# CVE : CVE-2019-11080 

Exploit: 

Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. 
When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. 
By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.

last Exploits
Sitecore 8.x – Deserialization Remote Code Execution的更多信息

Limny 1.01 – Arbitrary File Upload：
ClipBucket – ‘beats_uploader’ Arbitrary File Upload (Metasploit)：
Monstra cms 3.0.4 – Persitent Cross-Site Scripting：
WordPress Plugin WPtouch 1.9.27 – URL redirection：
WordPress Plugin Simple Backup 2.7.11 – Multiple Vulnerabilities：
Victor CMS 1.0 – File Upload To RCE：
Rukovoditel Project Management CRM 2.5.2 – ‘filters’ SQL Injection：
Dolphin 7.0.x – ‘explanation.php?explain’ Cross-Site Scripting：