Joomla Exploitation

Reference: https://www.exploit-db.com/docs/english/22763-guidelines-for-pentesting-a-joomla-based-site.pdf

Enumeration

1. Check for unnecessary files like ; Joomla.xml, readme.txt, htaccess.txt – These kind of files store good amount of information within them and can be of great use in identifying whether site is using Joomla or not.

2. Try to locate the path of Configuration File; /configuration.php – This can obviously give you information about CMS used as well as other information about the installations etc.

3. Try to locate the path of Administrator’s login : /administrator/index.php – If this gives you an OK response, go ahead and have a look on the page. The default page for administrator’s login will most probably use some logo or text which might give you an idea of CMS.

4. Check meta in page source=> <meta name="generator" content="Joomla 1.5 CMS!">

5. Joomscan - Owasp's script. joomscan -u <host>

6. Wappalyzer addon

7. Default creds=> username:passwd

Vulnerability Scanning

1. Joomscan => Will give an output of vulnerable themes/plugins, WAFs, common usernames, config files etc. apt install joomscan joomscan -u <host>

2. Bruteforcing => nmap can do this by nmap -p80 --script http-joomla-brute –scriptargs 'userdb=users.txt,passdb=passwds.txt,http-joomla-brute.threads=3, brute.firstonly=true' IP_ADDRESS

3. Exploit-db => Or searchsploit "joomla x.x.x"

4. Joomblah.py (Only for Joomla 3.7.0) => A script to exploit SQLi vulnerability (CVE 2017-8917) and dump credentials right away. MUCH MUCH FASTER than SQLMAP.

Exploitation

1. Method 1 => Tampering template page to gain reverse shell. Assuming we have successfully retrieved the admin credentials for a joomla CMS

You'll find a template section whose PHP/HTML code might be editable. Simply add your own php-reverse-shell code here (available by default in Kali, developed by PentestMonkey: /usr/share/webshells/php)

Now set a netcat reverse listener and boom! Done!

2) Method 2=> Coming soon...