Umbraco User Enum - CVE-2025-24011 PoCProof of concept for CVE-2025-24011 based on https://github.com/advisories/GHSA-hmg4-wwm5-p999
This toool has been tested on Umbraco version 15.1.1 and 13.7.2 on Ubuntu 24.04.2 LTS
Usernames in Umbraco are (as I understand it) e-mails.
This tools accepts a list of "usernames" (-f) and a url (-u) eg. https://192.168.122.215:8443
*example usage*
`python3 poc.py -f emails.txt -u https://192.168.122.215:8443`
# LAB SETUP
*install .NET SDK 9.0 manually*
```
wget https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/sdk-9.0.100-linux-x64-binaries
sudo mkdir -p /usr/local/dotnet
sudo tar -xvf dotnet-sdk-8.0.407-linux-x64.tar.gz -C /usr/local/dotnet/
export PATH="/usr/local/dotnet:$PATH"
export DOTNET_ROOT="/usr/local/dotnet"
dotnet new install Umbraco.Templates::15.1.1
dotnet new umbraco -n MyCustomUmbracoProject
cd MyCustomUmbracoProject
dotnet build
dotnet run --urls "https://0.0.0.0:8443"
```
*enable locked out user in sqlite database*
`update umbracoUser set userNoConsole = 0 where id == -1;`
# NOTES
- This tool performs incorrect login attempts and can potentially lockout a user if too many incorrect attempts are made for an existing user (default is 5 wrong password attempts pr. user)
- This technique will not work if the user is locked out
- The tool is observed to report false positives but the "factor" can be adjusted if too many false positives are reported.
- All credits to the CVE-holder (I beleive https://github.com/AndyButland)
[4.0K] /data/pocs/e0b91a2525eee12d2cab60bc5e1103def126061d
├── [4.2K] poc.py
└── [1.4K] README.md
0 directories, 2 files