Joomla

Open-source Content Management System (CMS)

Joomla is written in PHP and uses MySQL in the backend.

Tools

Tool

Details

Identify Joomla version, scan for vulnerabilities and sensitive files. python3 main.py -u <URL>

A free and open source software to find the components installed in Joomla CMS. sudo python2.7 -m pip install <urllib3,certifi,bs4> python2.7 joomlascan.py -u <URL>

droopescan

A plugin-based scanner that aids security researchers in identifying issues with several CMS. droopescan scan joomla --url <URL>

joomla-bruteforce

The default administrator account on Joomla installs is admin, but the password is set at install time. python3 joomla-brute.py -u <URL> -w <WORDLIST> -usr admin

Default File Structure

/var/www/html
├── administrator  (backend administration)
│   ├── cache  (cache for the admin panel)
│   ├── components  (backend-specific components)
│   ├── help  (admin help files)
│   ├── includes  (admin inclusion files)
│   ├── language  (language files for the admin panel)
│   ├── logs  (backend logs)
│   ├── modules  (admin-specific modules)
│   ├── templates  (admin panel templates)
│   ├── manifests  (manifest XML files for extensions)
│   │   ├── files
│   │   │   ├── joomla.xml  (main Joomla manifest file)
│   │   │   ├── libraries.xml  (manifest for Joomla libraries)
│   │   │   ├── modules.xml  (manifest for modules)
│   │   │   ├── plugins.xml  (manifest for plugins)
│   │   │   ├── templates.xml  (manifest for templates)
│   ├── index.php  (admin login page)
│   ├── configuration.php (main Joomla configuration file)
│   ├── .htaccess  (optional rewrite rules for backend security)
│   └── .htpasswd  (optional, extra authentication layer)
├── bin  (Joomla CLI scripts)
├── cache  (site cache files)
├── cli  (Joomla command-line scripts)
├── components  (installed frontend components)
│   ├── com_content  (Joomla core content component)
│   ├── com_users  (Joomla user management component)
│   ├── com_banners  (Joomla banner management)
│   └── com_contact  (contact form component)
├── images  (image and media files)
├── includes  (Joomla core inclusion files)
├── installation  (only present before installation)
├── language  (frontend language files)
│   ├── en-GB
│   │   ├── en-GB.ini  (main language file)
│   │   ├── en-GB.com_content.ini  (language file for content component)
│   │   ├── en-GB.mod_menu.ini  (language file for menu module)
│   │   ├── en-GB.plg_system_cache.ini  (language file for cache plugin)
├── layouts  (layout overrides)
├── libraries  (Joomla core libraries)
│   ├── cms  (CMS-related libraries)
│   ├── joomla  (Joomla framework)
│   ├── legacy  (legacy support for older versions)
│   ├── src  (new namespace structure for Joomla 4+)
├── logs  (system log files)
├── media  (static files and media assets)
│   ├── system  (system-related media files)
│   │   ├── css  (core CSS files)
│   │   ├── images  (system images)
│   │   ├── js  (Joomla system JavaScript files)
├── modules  (frontend modules)
│   ├── mod_menu  (menu module)
│   ├── mod_search  (search module)
│   ├── mod_login  (login module)
├── plugins  (installed plugins categorized by type)
│   ├── authentication  (authentication plugins)
│   │   ├── ldap  (LDAP authentication plugin)
│   │   │   ├── ldap.php
│   │   │   ├── ldap.xml  (manifest file for LDAP plugin)
│   ├── content  (content-related plugins)
│   │   ├── pagebreak
│   │   │   ├── pagebreak.php
│   │   │   ├── pagebreak.xml  (manifest file for pagebreak plugin)
│   ├── editors  (text editors like TinyMCE)
│   │   ├── tinymce
│   │   │   ├── tinymce.php
│   │   │   ├── tinymce.xml  (manifest file for TinyMCE plugin)
│   ├── system  (core system plugins)
│   │   ├── cache
│   │   │   ├── cache.php
│   │   │   ├── cache.xml  (manifest file for cache plugin)
│   │   ├── debug
│   │   │   ├── debug.php
│   │   │   ├── debug.xml  (manifest file for debug plugin)
│   │   ├── remember
│   │   │   ├── remember.php
│   │   │   ├── remember.xml  (manifest file for remember-me plugin)
├── templates  (frontend templates)
│   ├── system  (core template files)
│   ├── protostar  (default template for Joomla 3)
│   ├── cassiopeia  (default template for Joomla 4+)
│   ├── templates.xml  (manifest file for templates)
├── tmp  (temporary files)
├── configuration.php  (site configuration file)
├── htaccess.txt  (sample .htaccess file)
├── index.php  (main entry point for the website)
├── robots.txt  (SEO robots file)
└── web.config.txt  (configuration file for IIS servers)

Manual Enumeration

Version

Source code

Meta tag of name generator: <meta name="generator" content="Joomla! - Open Source Content Management" />

README.txt

In the Joomla root directory

LICENSE.txt

In the Joomla root directory

joomla.xml

in /administrator/manifests/files/joomla.xml

cache.xml

in plugins/system/cache/cache.xml

Attacks

Built-in

Login with Admin user. Click on Templates on the bottom left under Configuration to pull up the templates menu. Next, we can click on a template name. Let's choose protostar under the Template column header. This will bring us to the Templates: Customise page. Finally, we can click on a page to pull up the page source and add a PHP one-liner to gain code execution. Once this is in, click on Save & Close at the top

curl -s http://<DOMAIN>/templates/protostar/error.php?cmd=id

Last updated 4 months ago

Was this helpful?