Joomla

Open-source Content Management System (CMS)

Joomla is written in PHP and uses MySQL in the backend.

Tools

Tool	Details
Juumla	Identify Joomla version, scan for vulnerabilities and sensitive files. python3 main.py -u <URL>
JoomlaScan	A free and open source software to find the components installed in Joomla CMS. sudo python2.7 -m pip install <urllib3,certifi,bs4> python2.7 joomlascan.py -u <URL>
droopescan	A plugin-based scanner that aids security researchers in identifying issues with several CMS. droopescan scan joomla --url <URL>
joomla-bruteforce	The default administrator account on Joomla installs is admin, but the password is set at install time. python3 joomla-brute.py -u <URL> -w <WORDLIST> -usr admin

Default File Structure

/var/www/html
├── administrator  (backend administration)
│   ├── cache  (cache for the admin panel)
│   ├── components  (backend-specific components)
│   ├── help  (admin help files)
│   ├── includes  (admin inclusion files)
│   ├── language  (language files for the admin panel)
│   ├── logs  (backend logs)
│   ├── modules  (admin-specific modules)
│   ├── templates  (admin panel templates)
│   ├── manifests  (manifest XML files for extensions)
│   │   ├── files
│   │   │   ├── joomla.xml  (main Joomla manifest file)
│   │   │   ├── libraries.xml  (manifest for Joomla libraries)
│   │   │   ├── modules.xml  (manifest for modules)
│   │   │   ├── plugins.xml  (manifest for plugins)
│   │   │   ├── templates.xml  (manifest for templates)
│   ├── index.php  (admin login page)
│   ├── configuration.php (main Joomla configuration file)
│   ├── .htaccess  (optional rewrite rules for backend security)
│   └── .htpasswd  (optional, extra authentication layer)
├── bin  (Joomla CLI scripts)
├── cache  (site cache files)
├── cli  (Joomla command-line scripts)
├── components  (installed frontend components)
│   ├── com_content  (Joomla core content component)
│   ├── com_users  (Joomla user management component)
│   ├── com_banners  (Joomla banner management)
│   └── com_contact  (contact form component)
├── images  (image and media files)
├── includes  (Joomla core inclusion files)
├── installation  (only present before installation)
├── language  (frontend language files)
│   ├── en-GB
│   │   ├── en-GB.ini  (main language file)
│   │   ├── en-GB.com_content.ini  (language file for content component)
│   │   ├── en-GB.mod_menu.ini  (language file for menu module)
│   │   ├── en-GB.plg_system_cache.ini  (language file for cache plugin)
├── layouts  (layout overrides)
├── libraries  (Joomla core libraries)
│   ├── cms  (CMS-related libraries)
│   ├── joomla  (Joomla framework)
│   ├── legacy  (legacy support for older versions)
│   ├── src  (new namespace structure for Joomla 4+)
├── logs  (system log files)
├── media  (static files and media assets)
│   ├── system  (system-related media files)
│   │   ├── css  (core CSS files)
│   │   ├── images  (system images)
│   │   ├── js  (Joomla system JavaScript files)
├── modules  (frontend modules)
│   ├── mod_menu  (menu module)
│   ├── mod_search  (search module)
│   ├── mod_login  (login module)
├── plugins  (installed plugins categorized by type)
│   ├── authentication  (authentication plugins)
│   │   ├── ldap  (LDAP authentication plugin)
│   │   │   ├── ldap.php
│   │   │   ├── ldap.xml  (manifest file for LDAP plugin)
│   ├── content  (content-related plugins)
│   │   ├── pagebreak
│   │   │   ├── pagebreak.php
│   │   │   ├── pagebreak.xml  (manifest file for pagebreak plugin)
│   ├── editors  (text editors like TinyMCE)
│   │   ├── tinymce
│   │   │   ├── tinymce.php
│   │   │   ├── tinymce.xml  (manifest file for TinyMCE plugin)
│   ├── system  (core system plugins)
│   │   ├── cache
│   │   │   ├── cache.php
│   │   │   ├── cache.xml  (manifest file for cache plugin)
│   │   ├── debug
│   │   │   ├── debug.php
│   │   │   ├── debug.xml  (manifest file for debug plugin)
│   │   ├── remember
│   │   │   ├── remember.php
│   │   │   ├── remember.xml  (manifest file for remember-me plugin)
├── templates  (frontend templates)
│   ├── system  (core template files)
│   ├── protostar  (default template for Joomla 3)
│   ├── cassiopeia  (default template for Joomla 4+)
│   ├── templates.xml  (manifest file for templates)
├── tmp  (temporary files)
├── configuration.php  (site configuration file)
├── htaccess.txt  (sample .htaccess file)
├── index.php  (main entry point for the website)
├── robots.txt  (SEO robots file)
└── web.config.txt  (configuration file for IIS servers)

Manual Enumeration

Version

Source code	Meta tag of name generator: <meta name="generator" content="Joomla! - Open Source Content Management" />
README.txt	In the Joomla root directory
LICENSE.txt	In the Joomla root directory
joomla.xml	in /administrator/manifests/files/joomla.xml
cache.xml	in plugins/system/cache/cache.xml

Attacks

Built-in

Login with Admin user. Click on Templates on the bottom left under Configuration to pull up the templates menu. Next, we can click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page. Finally, we can click on a page to pull up the page source and add a PHP one-liner to gain code execution. Once this is in, click on Save & Close at the top

curl -s http://<DOMAIN>/templates/protostar/error.php?cmd=id