Joomla!

Scanning and Enumeration

# Get components running on the website
joomscan --url http://10.10.10.150/ --random-agent --enumerate-components

# You can also check
/administrator/manifests/files/joomla.xml

# If you find components, you can often access the configuration file
# JCE component → /components/com_jce/jce.xml

# Check for vulnerabilities affecting components

# Joomlavs is also a good scanning tool
https://github.com/rastating/joomlavs

Reverse Shell

# You must first log as admin
# Then you must activate the PHP extension in settings
System → Component → Media → “php” in legal extensions and nothing in ignored extension

# If it's not enough and the manager is detecting malicious PHP upload, you can still edit templates
# For example, the /index.php on the “protostar" template
→ Use reverse shell from pentestmonkey
→ http://pentestmonkey.net/tools/web-shells/php-reverse-shell

# On old versions, the control panel and features are different, but you can use templates
# First go into templates parameters and activate preview
# Then, on one template it is possible to edit code
# Then it is possible to add shell (weevely for example)

CVE-2012-1563

# Exploit against Joomla! <= 2.5.2
# Admin account creation
# Some online exploits exists but it possible to exploit it manually

# First, fill the registration form using 2 differents passwords
# Intercept the request and add the following parameter : &jform[groups][]=7 (jform%5Bgroups%5D%5B%5D=7)
# Forward the request → Fail because of different passwords
# Now just retry to fill, using 2 valid passwords, without intercept
# The parameter will be cached and the account will be created as admin !