关联漏洞
介绍
# **CVE-2019-12102 Scanner**
The **CVE-2019-12102 Scanner** is an automated tool to scan for the **Unauthenticated File Upload / File Exposure** vulnerability in Kentico CMS versions 11 to 12. This vulnerability is caused by improper access control on the endpoint `/cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx`. The tool checks if a domain is vulnerable by verifying the response from the endpoint and saves the results into separate files for **Potentially Vulnerable** and **Confirmed Vulnerable** domains.
---
## **Table of Contents**
1. [Vulnerability Description](#vulnerability-description)
2. [Key Features](#key-features)
3. [Installation](#installation)
4. [Usage](#usage)
5. [Sample Output](#sample-output)
6. [Important Notes](#important-notes)
7. [Contributions](#contributions)
8. [License](#license)
---
## **Vulnerability Description**
The **CVE-2019-12102** vulnerability allows attackers to:
- Upload files without authentication.
- Browse existing files on the server.
The vulnerable endpoint (`/cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx`) can be accessed without authentication if the `hash` parameter is not properly validated. If the URL redirects to `/CMSMessages/accessdenied.aspx?resstring=dialogs.missinghashtext&hash=`, the domain is considered vulnerable.
---
## **Key Features**
- **Automated Scanning**: Scans a list of domains from an input file.
- **Double Verification**: Ensures that a domain is truly vulnerable by adding a hash parameter.
- **Color-Coded Output**: Displays results in color for easy identification (red for confirmed vulnerable, yellow for potentially vulnerable).
- **Separate Output Files**: Saves **Potentially Vulnerable** and **Confirmed Vulnerable** domains into separate files.
- **Safe Saving**: Saves results even if the script is interrupted (e.g., by pressing `Ctrl+C`).
---
## **Installation**
### **Prerequisites**
- Python 3.x
- Python modules: `requests`, `colorama`
### **Installation Steps**
1. Clone this repository:
```bash
git clone https://github.com/Egi08/CVE-2019-12102-Scanner.git
cd CVE-2019-12102-Scanner
```
2. Install dependencies:
```bash
pip install -r requirements.txt
```
(If the `requirements.txt` file does not exist, create it with the following content):
```
requests
colorama
```
3. Prepare an input file (`domains.txt`) containing a list of domains, one domain per line. Example:
```
example.com
another-example.com
vulnerable-site.com
```
---
## **Usage**
### **Command-Line Arguments**
```bash
python cve_2019_12102_scanner.py -l <input_file> -p <potentially_output_file> -c <confirmed_output_file>
```
#### **Parameters**
- `-l`, `--list`: Path to the file containing the list of domains (required).
- `-p`, `--potentially`: Output file for **Potentially Vulnerable** domains (optional, default: `potentially_vulnerable.txt`).
- `-c`, `--confirmed`: Output file for **Confirmed Vulnerable** domains (optional, default: `confirmed_vulnerable.txt`).
### **Example Command**
```bash
python cve_2019_12102_scanner.py -l domains.txt -p potentially_vulnerable.txt -c confirmed_vulnerable.txt
```
---
## **Sample Output**
### **Console**
```
[*] Starting vulnerability scanner for CVE-2019-12102...
[*] Checking: http://example.com
[-] Not Vulnerable: http://example.com/cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx
[*] Checking: http://vulnerable-site.com
[+] Potentially Vulnerable: http://vulnerable-site.com/cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx
[+] Confirmed Vulnerable: http://vulnerable-site.com/CMSMessages/accessdenied.aspx?resstring=dialogs.missinghashtext&hash=13b203251094c6c51e1f7974b22e84538003b9c23754bc7b24a19891e6d476bf
[+] Results saved:
Potentially Vulnerable domains saved to potentially_vulnerable.txt
Confirmed Vulnerable domains saved to confirmed_vulnerable.txt
```
### **Output File (`potentially_vulnerable.txt`)**
```
http://vulnerable-site.com/cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx
```
### **Output File (`confirmed_vulnerable.txt`)**
```
http://vulnerable-site.com/CMSMessages/accessdenied.aspx?resstring=dialogs.missinghashtext&hash=13b203251094c6c51e1f7974b22e84538003b9c23754bc7b24a19891e6d476bf
```
---
## **Important Notes**
1. **Ethical Testing**:
- Use this tool only on domains you have permission to test.
- Unauthorized scanning may violate laws.
2. **Timeout**:
- If a domain responds slowly, you can adjust the timeout value in the `requests.get` function:
```python
response = requests.get(full_url, timeout=20) # Timeout of 20 seconds
```
3. **Error Handling**:
- If a network error occurs or a domain is unreachable, the tool will log an error message but continue checking other domains.
4. **Safe Saving**:
- Results will be saved to output files even if the script is interrupted (e.g., by pressing `Ctrl+C`).
5. **Hash Parameter**:
- The `test_hash` currently uses the example hash (`13b203251094c6c51e1f7974b22e84538003b9c23754bc7b24a19891e6d476bf`). Adjust it if necessary.
---
## **Contributions**
Contributions are welcome! If you'd like to contribute, please:
1. Fork this repository.
2. Create a new branch for your feature/fix:
```bash
git checkout -b feature/your-feature-name
```
3. Commit your changes:
```bash
git commit -m "Add your changes here"
```
4. Push to your branch:
```bash
git push origin feature/your-feature-name
```
5. Create a pull request.
---
## **License**
This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for more details.
---
With this documentation, you can easily upload the script to GitHub and provide clear instructions for others to use the tool.
文件快照
[4.0K] /data/pocs/93641fd278d004e391e99ddb1e918df5c4884d4f
├── [5.3K] cve_2019_12102_scanner.py
└── [5.8K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。