Joomla

Discovery

Go to /robots.txt and see

# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/

Enumeration

Getting Version Number

$ curl -s http://dev.inlanefreight.local/README.txt | head -n 5

$ curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

Username Enumeration

/administrator/index.php shows a generic message so you can't use the same method in wordpress. However, admin is the default administrator account

Automated

Using Droopescan

$ sudo pip3 install droopescan
$ droopescan scan joomla --url http://dev.inlanefreight.local/

Using Joomlascan

$ git clone https://github.com/drego85/JoomlaScan
$ sudo python2.7 -m pip install urllib3
$ sudo python2.7 -m pip install certifi
$ sudo python2.7 -m pip install bs4
$ python2.7 joomlascan.py -u http://dev.inlanefreight.local

Exploitation

Password Bruteforce

$ git clone https://github.com/ajnik/joomla-bruteforce
$ sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

Code Execution

Configuration -> Templates

PreviousWordpress NextDrupal

Last updated 2 years ago

hashtagDiscovery

hashtagEnumeration

hashtagGetting Version Number

hashtagUsername Enumeration

hashtagAutomated

hashtagUsing Droopescan

hashtagUsing Joomlascan

hashtagExploitation

hashtagPassword Bruteforce

hashtagCode Execution