Joomla Exploitation
Reference: https://www.exploit-db.com/docs/english/22763-guidelines-for-pentesting-a-joomla-based-site.pdf
Enumeration
Check for unnecessary files like ; Joomla.xml, readme.txt, htaccess.txt – These kind of files store good amount of information within them and can be of great use in identifying whether site is using Joomla or not.
Try to locate the path of Configuration File; /configuration.php – This can obviously give you information about CMS used as well as other information about the installations etc.
Try to locate the path of Administrator’s login : /administrator/index.php – If this gives you an OK response, go ahead and have a look on the page. The default page for administrator’s login will most probably use some logo or text which might give you an idea of CMS.
Check meta in page source=> <meta name="generator" content="Joomla 1.5 CMS!">
Joomscan - Owasp's script.
joomscan -u <host>
Wappalyzer addon
Default creds=>
username:passwd
Vulnerability Scanning
Joomscan => Will give an output of vulnerable themes/plugins, WAFs, common usernames, config files etc.
apt install joomscan joomscan -u <host>
Bruteforcing => nmap can do this by
nmap -p80 --script http-joomla-brute –scriptargs 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.threads=3, brute.firstonly=true' IP_ADDRESS
Exploit-db => Or
searchsploit "joomla x.x.x"
Joomblah.py (Only for Joomla 3.7.0) => A script to exploit SQLi vulnerability (CVE 2017-8917) and dump credentials right away. MUCH MUCH FASTER than SQLMAP.
Exploitation
Method 1 => Tampering template page to gain reverse shell. Assuming we have successfully retrieved the admin credentials for a joomla CMS
You'll find a template section whose PHP/HTML code might be editable. Simply add your own php-reverse-shell code here (available by default in Kali, developed by PentestMonkey: /usr/share/webshells/php)
Now set a netcat reverse listener and boom! Done!
2) Method 2=> Coming soon...
Last updated