Joomla

Attacking Joomla CMS

Enumeration

We can using joomscan to enumerate Joomla CMS.

joomscan  --url http://target.com -ec -r

Example output:

   ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://target.com ...


[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.10.0

[+] Core Joomla Vulnerability
[++] PHPMailer Remote Code Execution Vulnerability
CVE : CVE-2016-10033
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
https://github.com/opsxcq/exploit-CVE-2016-10033
EDB : https://www.exploit-db.com/exploits/40969/

PPHPMailer Incomplete Fix Remote Code Execution Vulnerability
CVE : CVE-2016-10045
https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
EDB : https://www.exploit-db.com/exploits/40969/


[+] Checking Directory Listing
[++] directory has directory listing : 
http://target.com/administrator/components
http://target.com/administrator/modules
http://target.com/administrator/templates
http://target.com/images/banners
......

Brute Force/Dictionary Attack

sudo python3 joomla-brute.py -u http://target.com -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

Exploit Search

searchsploit "Joomla" -www

Backdooring Joomla

http://target.com/administrator/index.php?option=com_templates&view=templates

Edit one of the template file. Example: error.php at beez3.

And then, go to target.com/templates/beez3/error.php to access your backdoor.

Update soon....

PreviousTomcat NextSSTI

Last updated 1 year ago

Was this helpful?

____ _____ _____ __ __ ___ ___ __ _ _ (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( ) .-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) ( \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_) (1337.today) --=[OWASP JoomScan +---++---==[Version : 0.0.7 +---++---==[Update Date : [2018/09/23] +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo --=[Code name : Self Challenge @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP Processing http://target.com ... [+] FireWall Detector [++] Firewall not detected [+] Detecting Joomla Version [++] Joomla 3.10.0 [+] Core Joomla Vulnerability [++] PHPMailer Remote Code Execution Vulnerability CVE : CVE-2016-10033 https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection https://github.com/opsxcq/exploit-CVE-2016-10033 EDB : https://www.exploit-db.com/exploits/40969/ PPHPMailer Incomplete Fix Remote Code Execution Vulnerability CVE : CVE-2016-10045 https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection EDB : https://www.exploit-db.com/exploits/40969/ [+] Checking Directory Listing [++] directory has directory listing : http://target.com/administrator/components http://target.com/administrator/modules http://target.com/administrator/templates http://target.com/images/banners ......