d4rtht3ll3ctus' root vault

Joomla - Discovery & Enumeration

2 min read

Joomla, released in August 2005 is another free and open-source CMS used for discussion forums, photo galleries, e-Commerce, user-based communities, and more. It is written in PHP and uses MySQL in the backend.

Discovery/Footprinting

curl -s http://dev.inlanefreight.local/ | grep Joomla
curl -s http://dev.inlanefreight.local/README.txt | head -n 5
curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -

The cache.xml file can help to give us the approximate version. It is located at plugins/system/cache/cache.xml.

Enumeration

Let’s try out droopescan, a plugin-based scanner that works for SilverStripe, WordPress, and Drupal with limited functionality for Joomla and Moodle.

sudo pip3 install droopescan
droopescan -h
droopescan scan joomla --url http://dev.inlanefreight.local/

As we can see, it did not turn up much information aside from the possible version number. We can also try out JoomlaScan, which is a Python tool inspired by the now-defunct OWASP joomscan tool. JoomlaScan is a bit out-of-date and requires Python2.7 to run. We can get it running by first making sure some dependencies are installed. We can install Python2.7 using the following commands. Note that the version is already installed on the workstation and we can directly use the last command pyenv shell 2.7 to use python2.7:

Alternative Installation of Python2.7

  Joomla - Discovery & Enumeration

DarthTellectus@htb[/htb]$ curl https://pyenv.run | bash
DarthTellectus@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
DarthTellectus@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
DarthTellectus@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
DarthTellectus@htb[/htb]$ source ~/.bashrc
DarthTellectus@htb[/htb]$ pyenv install 2.7
DarthTellectus@htb[/htb]$ pyenv
 
 shell 2.7
python2.7 -m pip install urllib3
python2.7 -m pip install certifi
python2.7 -m pip install bs4
python2.7 joomlascan.py -u http://dev.inlanefreight.local

. We can use this script to attempt to brute force the login.

sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

Graph View