## Scanner That Pulls Sensitive Information From Joomla Installations


This week’s Metasploit release includes a module for `CVE-2023-23752` by [h00die](). Did you know about the improper API access vulnerability in Joomla installations, specifically Joomla versions between 4.0.0 and 4.2.7, inclusive? This vulnerability allows unauthenticated users access to web service endpoints which contain sensitive information such as user and config information. This module can be used to exploit the users and config/application endpoints.

## No More Local Exploit Suggester Crashing Against Older Windows Targets

This week’s Metasploit release includes a bug fix by our own [adfoster-r7]() addressing an issue related to the local exploit suggester crashing against older windows targets. This issue was tracked down to the `bits_ntlm_token_impersonation` module when it’s checking the BITS/WinRM version via PowerShell. A patch has been added to prevent it crashing against older and newer Windows targets.

## New module content (1)

### Joomla API Improper Access Checks

Authors: Tianji Lab and h00die
Type: Auxiliary
Pull request: [#17895]() contributed by [h00die]()
AttackerKB reference: [CVE-2023-23752]()

Description: This adds a scanner that pulls user and config information from Joomla installations that permit access to endpoints containing sensitive information. This affects versions `4.0.0` through `4.2.7` inclusive.

## Enhancements and features (3)

* [#17857]() from [steve-embling]() – This adds T3S support for the `weblogic_deserialize_rawobject`, `weblogic_deserialize_marshalledobject`, and `weblogic_deserialize_badattr_extcomp` exploit modules.
* [#17921]() from [bcoles]() – This add documentation for the module `post/windows/gather/resolve_sid`
* [#17941]() from [j-baines]() – Updates the `exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce` module with CVE identifier CVE-2023-28769.

## Bugs fixed (4)

* [#17912]() from [bwatters-r7]() – Fixes a MinGW issue in the Meterpreter stdapi extension. The stdapi extension was using `free()` instead of `FreeMibTable()` to free memory allocated by `GetIpForwardTable2()` which led to a crash when compiled with MinGW.
* [#17913]() from [adfoster-r7]() – Fixes a crash when running the local exploit suggester against older Windows targets.
* [#17914]() from [zeroSteiner]() – This fixes an issue where paths with trailing backslashes would wait for more input when passed to `directory?()` due to the `”` being escaped in the command testing for the existence of the path.
* [#17926]() from [bwatters-r7]() – This fixes an issue with a railgun function definition that caused the `post/windows/gather/resolve_sid` module to fail on 64-bit systems. When the module failed, the session was lost.

## Documentation added (2)

* [#17839]() from [cdelafuente-r7]() – This improves Metasploit’s documentation on the `cleanup` method for modules.
* [#17937]() from [adfoster-r7]() – This fixes a formatting error due to a typo in the wiki page for setting up a Metasploit development environment.

You can always find more documentation on our docsite at [docs.metasploit.com]().

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.3.13…6.3.14]()
* [Full diff 6.3.13…6.3.14]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More