Joomla CMS Pentesting
Joomla is a content managemen system (CMS).
- [cmsjunkie](https://www.cmsjunkie.com/blog/post/understanding-the-joomla-directory-structure)
Scan
Common Directories
/administrator/
/administrator/manifests/files/joomla.xml
/cache/
/components/
/configuration.php
/htaccess.txt
/includes/
/index.php
/joomla.xml
/language/en-GB/en-GB.xml
/libraries/
/LICENSE.txt
/logs/
/media/
/modules/
/plugins/
/README.txt
/templates/
/tmp/
/web.config.txt
Default Credentials
The default username is "admin" and no password.
RCE
Reference: HackTricks
If we have admin credential, we may be able to execute arbitrary code by manipulating the site template.
1. Login as Admin
At first, go to /administrator
page and login with admin credential.
2. Select Template
In dashboard, go to template select menu, and click a template name. We can see the list of pages of the template on left menu.
Here we edit the error.php
so click it on the left menu.
3. Inject Arbitrary Code
In the editor for error.php
, delete the original PHP code and insert arbitrary PHP code such as:
If we want to get the target shell, we can insert the code for reverse shell. Please see the Web Reverse Shell page for details.
After that, click Save & Close .
4. Execute
Now access to the template’s error.php
page as below:
https://example.com/templates/<template_name>/error.php
# or
https://example.com/templates/<template_name>/error.php?cmd=whoami