CVE-2023-23752 PoC — Joomla 安全漏洞

Source

https://github.com/Acceis/exploit-CVE-2023-23752

Associated Vulnerability

Title:Joomla 安全漏洞 (CVE-2023-23752)
Description:Joomla是美国Open Source Matters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。 Joomla 4.0.0版本至4.2.7版本存在安全漏洞，该漏洞源于不正确的访问检查，允许对web服务端点进行未经授权的访问。

Description

Joomla! < 4.2.8 - Unauthenticated information disclosure

Readme

# Joomla! information disclosure - CVE-2023-23752 exploit

> Joomla! < 4.2.8 - Unauthenticated information disclosure

Exploit for [CVE-2023-23752][CVE-2023-23752] (4.0.0 <= Joomla <= 4.2.7).

[[EDB-51334](https://www.exploit-db.com/exploits/51334)] [[PacketStorm](https://packetstormsecurity.com/files/171474/Joomla-4.2.7-Unauthenticated-Information-Disclosure.html)] [[WLB-TODO](https://cxsecurity.com/issue/WLB-TODO)]

## Usage

![help message](assets/help.png)

## Example

![example of exploitation](assets/example.png)

## Requirements

- [httpx](https://gitlab.com/honeyryderchuck/httpx)
- [docopt.rb](https://github.com/docopt/docopt.rb)
- [paint](https://github.com/janlelis/paint)

Example using gem:

```bash
gem install httpx docopt paint
# or
bundle install
```

## Deployment of a vulnerable environment

v4.2.7

```bash
docker-compose up --build
```

Then reach the installation page http://127.0.0.1:4242/installation/index.php.

Complete the installation (db credentials are `root` / MYSQL_ROOT_PASSWORD (cf. `docker-compose.yml`) and host is `mysql` not localhost).

**Warning**: of course this setup is not suited for production usage!

## References

This is an exploit for the vulnerability [CVE-2023-23752][CVE-2023-23752] found by Zewei Zhang from [NSFOCUS TIANJI Lab][1].

Nice resources about the vulnerability:

- [Discoverer advisory][2]
- [Joomla Advisory][3]
- [AttackerKB topic][4]
- [Vulnerability analysis][5]
- [Nuclei template][6]

For more details see [exploit.rb](exploit.rb).

## Disclaimer

ACCEIS does not promote or encourage any illegal activity, all content provided by this repository is meant for research, educational, and threat detection purpose only.

[CVE-2023-23752]: https://nvd.nist.gov/vuln/detail/CVE-2023-23752
[1]:https://nsfocusglobal.com/company-overview/nsfocus-security-labs/
[2]:https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/
[3]:https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
[4]:https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752
[5]:https://vulncheck.com/blog/joomla-for-rce
[6]:https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml

File Snapshot


 [4.0K]  /data/pocs/9804579eebcc4cc981740d12f8cd76cb3bb317be
├── [4.0K]  assets
│   ├── [ 32K]  example.png
│   └── [ 44K]  help.png
├── [ 394]  docker-compose.yml
├── [4.4K]  exploit.rb
├── [ 102]  Gemfile
├── [ 274]  Gemfile.lock
├── [1.1K]  LICENSE
└── [2.2K]  README.md

1 directory, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!