Umbraco CMS
.NET CMS with an admin backoffice at /umbraco. Authenticated admins get RCE via the templating/package features, and the config files hold the DB connection string and the machineKey.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- Login at /umbraco, 'Umbraco' branding
- Version at /umbraco/ping or in /umbraco/assets, often in the page source
Key files
| Path | Holds | Sensitive |
|---|---|---|
web.config | DB connection string, machineKey (viewstate) | sensitive |
App_Data/Umbraco.sdf | embedded SQL CE DB: admin hash | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2023-32721 | Stored XSS in the backoffice |
| EDB-46153 | Umbraco ≤ 7.12.4 authenticated RCE via the xsltVisualize / template feature |
Exploitation primitives
- Authenticated RCE (EDB-46153): POST a crafted SerializedData payload to /umbraco/feedproxy.aspx or use the template editor to run code
- Loot web.config for the SQL connection string and machineKey (enables ViewState deserialization)
- Pull Umbraco.sdf and crack the SHA1/HMACSHA256 admin hash
Overview
Umbraco is an ASP.NET CMS; the backoffice lives at /umbraco. With admin creds (often recovered from Umbraco.sdf or reused), the templating engine gives straightforward code execution.
Authenticated RCE (Umbraco ≤ 7.12.4)
Run the exploit-db PoC with valid backoffice creds:
python3 49488.py -u 'admin@htb.local' -p 'password' -i 'http://<TARGET>' -c 'powershell -e <BASE64>'Loot credentials
Pull the embedded DB and extract the admin hash:
strings App_Data/Umbraco.sdf | grep -i adminRead the machineKey from web.config to forge a ViewState (ysoserial.net) for unauthenticated RCE where applicable.
Hardening
Patch Umbraco, store strong unique backoffice passwords, protect web.config/Umbraco.sdf, and rotate the machineKey.