# Joomla Joomla is written in PHP and uses MySQL in the backend. ## Tools

Tool	Details
Juumla	Identify Joomla version, scan for vulnerabilities and sensitive files. `python3 main.py -u <URL>`
JoomlaScan	A free and open source software to find the components installed in Joomla CMS. `sudo python2.7 -m pip install <urllib3,certifi,bs4>` `python2.7 joomlascan.py -u <URL>`
droopescan	A plugin-based scanner that aids security researchers in identifying issues with several CMS. `droopescan scan joomla --url <URL>`
joomla-bruteforce	The default administrator account on Joomla installs is `admin`, but the password is set at install time. `python3 joomla-brute.py -u <URL> -w <WORDLIST> -usr admin`

## Default File Structure ``` /var/www/html ├── administrator (backend administration) │ ├── cache (cache for the admin panel) │ ├── components (backend-specific components) │ ├── help (admin help files) │ ├── includes (admin inclusion files) │ ├── language (language files for the admin panel) │ ├── logs (backend logs) │ ├── modules (admin-specific modules) │ ├── templates (admin panel templates) │ ├── manifests (manifest XML files for extensions) │ │ ├── files │ │ │ ├── joomla.xml (main Joomla manifest file) │ │ │ ├── libraries.xml (manifest for Joomla libraries) │ │ │ ├── modules.xml (manifest for modules) │ │ │ ├── plugins.xml (manifest for plugins) │ │ │ ├── templates.xml (manifest for templates) │ ├── index.php (admin login page) │ ├── configuration.php (main Joomla configuration file) │ ├── .htaccess (optional rewrite rules for backend security) │ └── .htpasswd (optional, extra authentication layer) ├── bin (Joomla CLI scripts) ├── cache (site cache files) ├── cli (Joomla command-line scripts) ├── components (installed frontend components) │ ├── com_content (Joomla core content component) │ ├── com_users (Joomla user management component) │ ├── com_banners (Joomla banner management) │ └── com_contact (contact form component) ├── images (image and media files) ├── includes (Joomla core inclusion files) ├── installation (only present before installation) ├── language (frontend language files) │ ├── en-GB │ │ ├── en-GB.ini (main language file) │ │ ├── en-GB.com_content.ini (language file for content component) │ │ ├── en-GB.mod_menu.ini (language file for menu module) │ │ ├── en-GB.plg_system_cache.ini (language file for cache plugin) ├── layouts (layout overrides) ├── libraries (Joomla core libraries) │ ├── cms (CMS-related libraries) │ ├── joomla (Joomla framework) │ ├── legacy (legacy support for older versions) │ ├── src (new namespace structure for Joomla 4+) ├── logs (system log files) ├── media (static files and media assets) │ ├── system (system-related media files) │ │ ├── css (core CSS files) │ │ ├── images (system images) │ │ ├── js (Joomla system JavaScript files) ├── modules (frontend modules) │ ├── mod_menu (menu module) │ ├── mod_search (search module) │ ├── mod_login (login module) ├── plugins (installed plugins categorized by type) │ ├── authentication (authentication plugins) │ │ ├── ldap (LDAP authentication plugin) │ │ │ ├── ldap.php │ │ │ ├── ldap.xml (manifest file for LDAP plugin) │ ├── content (content-related plugins) │ │ ├── pagebreak │ │ │ ├── pagebreak.php │ │ │ ├── pagebreak.xml (manifest file for pagebreak plugin) │ ├── editors (text editors like TinyMCE) │ │ ├── tinymce │ │ │ ├── tinymce.php │ │ │ ├── tinymce.xml (manifest file for TinyMCE plugin) │ ├── system (core system plugins) │ │ ├── cache │ │ │ ├── cache.php │ │ │ ├── cache.xml (manifest file for cache plugin) │ │ ├── debug │ │ │ ├── debug.php │ │ │ ├── debug.xml (manifest file for debug plugin) │ │ ├── remember │ │ │ ├── remember.php │ │ │ ├── remember.xml (manifest file for remember-me plugin) ├── templates (frontend templates) │ ├── system (core template files) │ ├── protostar (default template for Joomla 3) │ ├── cassiopeia (default template for Joomla 4+) │ ├── templates.xml (manifest file for templates) ├── tmp (temporary files) ├── configuration.php (site configuration file) ├── htaccess.txt (sample .htaccess file) ├── index.php (main entry point for the website) ├── robots.txt (SEO robots file) └── web.config.txt (configuration file for IIS servers) ``` ## Manual Enumeration ### Version


Source code	Meta tag of name generator: `<meta name="generator" content="Joomla! - Open Source Content Management" />`
`README.txt`	In the Joomla root directory
`LICENSE.txt`	In the Joomla root directory
`joomla.xml`	in `/administrator/manifests/files/joomla.xml`
`cache.xml`	in `plugins/system/cache/cache.xml`

## Attacks ### Built-in Login with Admin user.\ Click on `Templates` on the bottom left under `Configuration` to pull up the templates menu. Next, we can click on a template name. Let's choose `protostar` under the `Template` column header. This will bring us to the `Templates: Customise` page. Finally, we can click on a page to pull up the page source and add a PHP one-liner to gain code execution. Once this is in, click on `Save & Close` at the top {% code overflow="wrap" %} ```bash curl -s http:///templates/protostar/error.php?cmd=id ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/other/cms/joomla.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.